CVE-2023-28857
CVE-2023-28857 is a medium-severity vulnerability in Apereo Central Authentication Service with a CVSS 3.x base score of 4.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-522.
Key facts
- Severity: Medium (CVSS 3.x base score 4.0)
- EPSS exploit prediction: 1% (39th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-522
- Affected product: Apereo Central Authentication Service
- Published:
- Last modified:
Description
Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Frequently asked questions
- What is CVE-2023-28857?
- Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- How severe is CVE-2023-28857?
- CVE-2023-28857 has a CVSS 3.x base score of 4.0, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2023-28857 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (39th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-28857?
- CVE-2023-28857 affects Apereo Central Authentication Service. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-28857?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-28857 published?
- CVE-2023-28857 was published on 2023-06-27 and last updated on 2026-06-17.
References
- https://apereo.github.io/2023/02/20/x509-vuln/
- https://github.com/apereo/cas/releases/tag/v6.6.6
- https://securitylab.github.com/advisories/GHSL-2023-009_Apereo_CAS/
Affected products (1)
- cpe:2.3:a:apereo:central_authentication_service:*:*:*:*:*:*:*:*
More vulnerabilities in Apereo Central Authentication Service
- CVE-2023-4612 — Critical (CVSS 9.8): Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method…
- CVE-2024-4399 — Critical (CVSS 9.1): The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform…
- CVE-2019-10754 — High (CVSS 8.1): Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils…
- CVE-2020-27178 — High (CVSS 7.5): Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret…
- CVE-2015-1169 — High (CVSS 7.5): Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection…
- CVE-2024-11209 — Medium (CVSS 6.3): A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the…
All CVEs affecting Apereo Central Authentication Service →
Other CWE-522 (Insufficiently Protected Credentials) vulnerabilities
- CVE-2026-7312 — Critical (CVSS 10.0): CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to…
- CVE-2026-29128 — Critical (CVSS 10.0): IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g.,…
- CVE-2025-54863 — Critical (CVSS 10.0): Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration…
- CVE-2024-12799 — Critical (CVSS 10.0): Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64…
- CVE-2024-51545 — Critical (CVSS 10.0): Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list…
- CVE-2023-1778 — Critical (CVSS 10.0): This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to…
Browse all CWE-522 (Insufficiently Protected Credentials) vulnerabilities →