MEDIUM🇵🇱 Wersja polska

CVE-2025-3985

CVSS 5.1v4.0pub. 2025-04-27upd. 2025-11-05

A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Apereo Central Authentication Service

    APP
    Apereo
    5.2.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-4399CRITICAL9.1PL ✓ten sam produkt

SSRF w Apereo Central Authentication Service — brak walidacji parametru

CVE-2023-4612CRITICAL9.8ten sam produkt

Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr m...

CVE-2020-27178HIGH7.5ten sam produkt

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles ...

CVE-2019-10754HIGH8.1ten sam produkt

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStrin...

CVE-2015-1169HIGH7.5ten sam produkt

Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP inject...