Race condition in org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController

11 views
Skip to first unread message

Evdokimov, Timur(AWF)

unread,
Sep 6, 2019, 7:21:45 AM9/6/19
to cas...@apereo.org

Hi all,

 

Seems like commit  0b465e34b6ff594a177fa9118c87a13cff349374 (July 18th 2019) has introduced a dangerous race condition in

OAuth20CallbackAuthorizeEndpointController.

 

Before, ‘callback’ was created per request, now it is shared among all threads accessing it.

As a result, callback.getRedirectUrl() sometimes returns the same value for two or more threads accessing it.

 

It looks rather like a high profile security issue, since redirect URL contains ‘state’ value that would allow one user to impersonate another, should they hit CAS at the same millisecond.

 

Kind regards,
Tim

Evdokimov, Timur(AWF)

unread,
Sep 6, 2019, 7:44:49 AM9/6/19
to cas...@apereo.org

My apologies, correct commit ID is b1cbcb2a1b305fb915be3dac65e130da315772c0.

 

PR to address the issue:

https://github.com/apereo/cas/pull/4253

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/F7C333C2-8EDB-4616-BE92-E24622948C6C%40ebay.com.

Reply all
Reply to author
Forward
0 new messages