Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN562
_____________________________________________________________________

DATE                : 29/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apereo CAS server versions prior
                                 to 7.3.7.1.

=====================================================================
https://apereo.github.io/2026/05/27/oidc-vuln/
_____________________________________________________________________


CAS OpenID Connect Vulnerability Disclosure
Wednesday, May 27, 2026

Overview

This is an initial Apereo CAS project vulnerability disclosure,
describing an issue in CAS acting and running as an OpenID Connect
provider. Additional details will be made public once the security
grace window has passed.

For additional details on how security issues, patches and
announcements are handled, please read the Apereo CAS project
vulnerability disclosure process.


Credits

This issue was originally reported to the team at Coop (Switzerland),
namely Artur Stoecklin and David Roth, via the YesWeHack platform,
which is a “global crowdsourced security and bug bounty platform that
connects organizations with a vetted community of tens of thousands
of ethical (white-hat) hackers to identify and report vulnerabilities
in websites, mobile apps, and infrastructure”. Both the original
reporter as well as the team at YesWeHack shared complete and
thorough instructions on how this vulnerability can be observed
and exercised. The team at Coop (Switzerland) further validated
and tested the fix.

Thank you everyone!


Affected Deployments

The problem addressed here, per the CAS maintenance policy,
affects the Apereo CAS server for the following versions:

- 7.3.x

If your CAS version is not listed above AND is still part of an
active maintenance cycle per the CAS maintenance policy, then
best effort (analysis or confirmation from reporters/testers)
indicates that the version is not affected by this issue. That
said, please note that per the project’s Apache2 license,
software distributed under the License is distributed on an
“AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied. For additional information, please
see the project license.

If you are (or your institution is) a member of the Apereo
foundation with an active support subscription supporting the
CAS project, please contact the CAS subs working group to
learn more about this security vulnerability report.


Severity

You are affected by this security vulnerability IF AND ONLY IF
your CAS deployment is acting and running as an
OpenID Connect identity provider. Additional details will be
made public once the security grace window has passed.

If your deployment does not pass the noted condition(s) above,
there is nothing for you to do here. Keep calm and carry on.


Timeline

The issue was originally reported to the team at Coop
(Switzerland) on May 5th, 2026 and was shared with the CAS project
on May 22nd, 2026. Upon confirmation, CAS releases were patched
and eventually published on May 27th, 2026.


Patching

Patch releases are available to address CAS deployments. Upgrades
to the next patch version for each release should be a drop-in
replacement.


Affected Versions
7.3.x

Modify your CAS overlay to point to the version 7.3.7.1.


How to upgrade

    Locate your gradle.properties file in your CAS overlay, found
at the root of the project.
    Modify your CAS version to point to the approriate release
version noted above by updating the cas.version property.
    Follow the instructions in the README.md file to build the
server, i.e. ./gradlew[.bat] clean build.


Support

Apereo CAS is Apache v2 open source software under the sponsorship
of the Apereo Foundation. Support options may be found here.

If you or your institution is a member of the Apereo foundation
with an active CAS subscription supporting the CAS project, please
contact the CAS subs working group to learn more about this
security vulnerability.


Resources

    CAS Security Vulnerability Response Model
    CAS Maintenance Policy
    CAS Mailing Lists

On behalf of the CAS Application Security working group,

Misagh Moayyed


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================