CVE-2022-39369: Service Hostname Discovery Exploitation in phpCAS
First published: Tue Nov 01 2022(Updated: )
Last updated 31 July 2024
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apereo Phpcas | <1.6.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| debian/php-cas | 1.3.8-1+deb11u1 1.6.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64
- https://lists.debian.org/debian-lts-announce/2023/07/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XL7SMW6ESSP2Y6HHRYWW2MMCZSI4LBZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RUA2JM6YT3ZXSZLBJVRA32AXYM3GJMO3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJZGTWJ5ZXUUT47EHARNOUUNTH6SYDSE/
- https://launchpad.net/bugs/cve/CVE-2022-39369
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XL7SMW6ESSP2Y6HHRYWW2MMCZSI4LBZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RUA2JM6YT3ZXSZLBJVRA32AXYM3GJMO3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJZGTWJ5ZXUUT47EHARNOUUNTH6SYDSE/
- https://github.com/apereo/phpCAS/commit/b759361d904a2cb2a3bcee9411fc348cfde5d163
- https://security-tracker.debian.org/tracker/CVE-2022-39369
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39369
- https://nvd.nist.gov/vuln/detail/CVE-2022-39369
- https://ubuntu.com/security/CVE-2022-39369
Frequently Asked Questions
What is CVE-2022-39369?
CVE-2022-39369 is a vulnerability in the phpCAS authentication library that allows an attacker to control the host header and use a malicious CAS server to perform authentication.
How does phpCAS library determine the service URL used to validate tickets?
The phpCAS library uses HTTP headers to determine the service URL used to validate tickets.
Which software versions are affected by CVE-2022-39369?
Versions up to exclusive 1.6.0 of Apereo Phpcas, Fedora 35, Fedora 36, and Fedora 37 are affected by CVE-2022-39369.
What is the severity of CVE-2022-39369?
CVE-2022-39369 has a severity level of high with a severity value of 8.
How can I fix CVE-2022-39369?
To fix CVE-2022-39369, update to a version of the affected software that includes the security patch. Refer to the references for more information.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/event
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/apereo
- canonical/apereo phpcas
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- package-manager/debian