===================================================================== CERT-Renater Note d'Information No. 2024/VULN146 _____________________________________________________________________ DATE : 26/03/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Shibboleth Identity Provider versions prior to 5.1.1, 4.3.2. ===================================================================== http://shibboleth.net/community/advisories/secadv_20240320.txt _____________________________________________________________________ Shibboleth Identity Provider Security Advisory [20 March 2024] CAS service URL handling vulnerable to Server-Side Request Forgery ================================================================== The Identity Provider's CAS support relies on a function in the Spring Framework to parse CAS service URLs and append the ticket parameter. Spring published an advisory regarding this function and re-opened the advisory again after their latest release. [1] Updates for both supported branches of the IdP are being provided to update the Spring Framework version to address the issue. Those not using the IdP's CAS protocol support are not impacted by this issue, though all are encouraged to upgrade at their next opportunity. Affected Versions ================= The Spring Framework bug is found in the versions outlined by their advisory [1]. This implicates Identity Provider versions < 5.1.1 and < 4.3.2 when CAS is in use. Recommendations =============== Upgrade to Identity Provider V5.1.1 or later. Upgrade to Identity Provider V4.3.2 or later (once available). References ========== URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20240320.txt [1] https://spring.io/security/cve-2024-22259 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================