| 标题 | Apereo CAS v5.2.6 ReDos Denial of Service |
|---|
| 描述 | 1.Vulnerability Name: Apereo CAS V5.2.6 application has a ReDos denial of service attack vulnerability
2.Vulnerability level : Medium risk.
3.Vulnerability submitter and contributor: 蔡超雄 (caichaoxiong)
4.Affects : v5.2.6
5.Vulnerability Description:
ReDoS (Regular Expression Denial of Service) vulnerability :
Defects of the regular expression engine . The attacker constructs special input data to cause a large number of backtracking operations in the regular expression matching process, thereby consuming server resources, reducing system performance, and even causing service unavailability .
Apereo CAS (Central Authentication Service) is an open source identity authentication and authorization system, which is widely used in single sign-on (SSO) solutions for enterprise-level Web applications at home and abroad. According to tests and verification, the status/configmetadata/search interface of Apereo CAS v5.2.6 can trigger the ReDoS denial of service attack vulnerability by carefully constructing malicious regular expressions because the name parameter is controllable, thereby exhausting server resources .
6.Vulnerability Threats
Hackers can send a large number of requests with malicious regular expressions, causing all threads in the server thread pool to execute regular expression matching, consuming a large amount of CPU resources, making it impossible to respond to normal user requests, resulting in a DoS denial of service attack. |
|---|
| 来源 | ⚠️ https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a |
|---|
| 用户 | caichaoxiong (UID 84060) |
|---|
| 提交 | 2025-04-14 08時01分 (1 年前) |
|---|
| 管理 | 2025-04-26 10時07分 (12 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 306322 [Apereo CAS 5.2.6 CasConfigurationMetadataServerController.java 名称 拒绝服务] |
|---|
| 积分 | 17 |
|---|