9.8
CVE-2014-3527
- EPSS 0.36%
- Published 25.05.2017 17:29:00
- Last modified 20.04.2025 01:37:25
- Source security_alert@emc.com
- Teams watchlist Login
- Open Login
When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.
Data is provided by the National Vulnerability Database (NVD)
VMware ≫ Spring Security Version3.1.0
VMware ≫ Spring Security Version3.1.1
VMware ≫ Spring Security Version3.1.2
VMware ≫ Spring Security Version3.1.3
VMware ≫ Spring Security Version3.1.4
VMware ≫ Spring Security Version3.2.0
VMware ≫ Spring Security Version3.2.1
VMware ≫ Spring Security Version3.2.2
VMware ≫ Spring Security Version3.2.3
VMware ≫ Spring Security Version3.2.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.36% | 0.551 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.