CVE-2014-2296
HIGHApero CAS Server < 3.4.12.1 - Unauthenticated XML External Entity Injection in SamlUtils
Title source: manualDescription
XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory mailing-list
x_refsource_mlist
http://jasig.275507.n4.nabble.com/CAS-3-5-2-1-and-3-4-12-1-Security-Releases-td4662444.html
Third Party Advisory x_refsource_misc
https://vigilance.fr/vulnerability/Jasig-CAS-Server-bypassing-authentication-via-Google-Accounts-Integration-14512
Scores
CVSS v3
8.8
EPSS
0.0205
EPSS Percentile
78.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (1)
apereo/cas_server
< 3.4.12.1
Published
Jul 20, 2018
Tracked Since
Feb 18, 2026