CVE-2025-3984 – org.apereo.cas:cas-management-webapp-support

Package

Manager: maven
Name: org.apereo.cas:cas-management-webapp-support
Vulnerable Version: >=0 <=5.2.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00079 pctl0.24183

Details

Apereo CAS code injection vulnerability A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

Created: 2025-04-27T21:34:47Z
Modified: 2025-04-28T20:39:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-37pq-893f-g7q5/GHSA-37pq-893f-g7q5.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-37pq-893f-g7q5
Finding: F184
Auto approve: 1