Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN550
_____________________________________________________________________

DATE                : 27/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Shibboleth Identity Provider
                           versions prior to 5.1.6.

=====================================================================
https://shibboleth.net/community/advisories/secadv_20250826.txt
_____________________________________________________________________

Shibboleth Identity Provider Security Advisory [26 August 2025]

An updated version of the Shibboleth Identity Provider is available
to address a cross-site scripting vulnerability in the CAS protocol
support when using certain request options that result in a particular
response format.

XSS vulnerability in one CAS response format
=================================================================
An XSS issue was identified in the IdP's handling of CAS responses
in certain situations. If exploited, exfiltration of cookies is
unlikely due to the default mitigations for that, but cross-site
request forgery attacks are very possible against CAS clients that
are not themselves hardened against certain kinds of malicious URLs.

Recommendations
===============
Update to V5.1.6 (or later) of the Identity Provider software. [1]

If unable to upgrade, another mitigation requires use of the CAS
Service Registry to control use of CAS (rather than the SAML metadata
extension specific to our software that many rely on) and the
expressions used to validate CAS service URLs would need to be fairly
strict and in particular avoid the use of tail-matching regular
expression wildcards that would permit essentially any decoration
of a URL to be accepted.

The SAML metadata alternative exclusively does this sort of open-
ended prefix matching and is not designed to prevent further URL
content from appearing at the end of a service URL, so its use
cannot mitigate against this issue.

Credits
=======
Discloze, Inc. <https://www.discloze.com/>
Dan Malone, California Polytechnic State University


[1] https://shibboleth.net/downloads/identity-provider/

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20250826.txt
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================