9.8
CVE-2014-3527
- EPSS 0.36%
- Veröffentlicht 25.05.2017 17:29:00
- Zuletzt bearbeitet 20.04.2025 01:37:25
- Quelle security_alert@emc.com
- Teams Watchlist Login
- Unerledigt Login
When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Security Version3.1.0
VMware ≫ Spring Security Version3.1.1
VMware ≫ Spring Security Version3.1.2
VMware ≫ Spring Security Version3.1.3
VMware ≫ Spring Security Version3.1.4
VMware ≫ Spring Security Version3.2.0
VMware ≫ Spring Security Version3.2.1
VMware ≫ Spring Security Version3.2.2
VMware ≫ Spring Security Version3.2.3
VMware ≫ Spring Security Version3.2.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.36% | 0.551 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.