|03 November 2023
|All through 7.0.0-RC7
|Vulnerability type (CWE)
|Improper Authentication (CWE-287)
|Report to CERT Polska
CERT Polska has received a report about vulnerability in Apereo CAS software and participated in its coordination. The vulnerability allows Multi-Factor Authentication bypass via spoofing a device previously saved as trusted. The weakness has been assigned the number CVE-2023-4612. This issue affects all versions through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability, but as a matter of documentation.
We thank Maksym Brzęczek from efigo.pl for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.