Security announcements

MSA-17-0016: Authentication bypass vulnerability with old CAS servers

 
Picture of Marina Glancy
MSA-17-0016: Authentication bypass vulnerability with old CAS servers
 

Old CAS servers (3.3.5.1 or 3.4.2.1, both released Jul 21, 2010) do not escape the failure message which could be exploited with the phpCAS client library that is shipped as part of Moodle. Only fix for this issue was picked to phpCAS library in Moodle, the library will be upgraded to the latest version in the next major Moodle release. See also https://github.com/Jasig/phpCAS/issues/228


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: ngocdh
CVE identifier: CVE-2017-1000071 (requested by phpCAS)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59456
Tracker issue: MDL-59456 Authentication bypass vulnerability on phpCAS library