CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-4612 – MFA bypass in Apereo CAS
https://notcve.org/view.php?id=CVE-2023-4612
Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability. Vulnerabilidad de autenticación incorrecta en Apereo CAS en jakarta.servlet.http.HttpServletRequest.getRemoteAddr permite omitir la autenticación multifactor. Este problema afecta a CAS: hasta 7.0.0-RC7. • https://cert.pl/en/posts/2023/11/CVE-2023-4612 https://cert.pl/posts/2023/11/CVE-2023-4612 • CWE-287: Improper Authentication CWE-302: Authentication Bypass by Assumed-Immutable Data •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-27178
https://notcve.org/view.php?id=CVE-2020-27178
Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication. Apereo CAS versiones 5.3.x anteriores a 5.3.16, versiones 6.x anteriores a 6.1.7.2, versiones 6.2.x anteriores a 6.2.4 y versiones 6.3.x anteriores a 6.3.0-RC4, maneja inapropiadamente las claves secretas con Google Authenticator para la autenticación multifactor • https://apereo.github.io/2020/10/14/gauthvuln •