Old CAS servers (3.3.5.1 or 3.4.2.1, both released Jul 21, 2010) do not escape the failure message which could be exploited with the phpCAS client library that is shipped as part of Moodle. Only fix for this issue was picked to phpCAS library in Moodle, the library will be upgraded to the latest version in the next major Moodle release. See also https://github.com/Jasig/phpCAS/issues/228
| Severity/Risk: | Minor |
| Versions affected: | 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions |
| Versions fixed: | 3.3.1, 3.2.4 and 3.1.7 |
| Reported by: | ngocdh |
| CVE identifier: | CVE-2017-1000071 (requested by phpCAS) |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59456 |
| Tracker issue: | MDL-59456 Authentication bypass vulnerability on phpCAS library |