|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: Java CAS Cliuent JWT Vulnerability Disclosure |
| 4 | +summary: Disclosure of a security issue with the Java CAS Client validating JWTs. |
| 5 | +tags: [CAS] |
| 6 | +--- |
| 7 | + |
| 8 | +# Overview |
| 9 | + |
| 10 | +This is an [Apereo CAS project vulnerability disclosure](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html), |
| 11 | +describing an issue in the Java CAS Client while validating tickets issued as JWT. |
| 12 | + |
| 13 | +For additional details on how security issues, patches and announcements are handled, please read the [Apereo CAS project vulnerability disclosure](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html) process. |
| 14 | + |
| 15 | +# Credits |
| 16 | + |
| 17 | +This issue was reported to the project by a third-party researcher and was then further validated tested by Mr. Jérôme Leleu, who is a project member and an active committer. |
| 18 | + |
| 19 | +Thank you everyone! |
| 20 | + |
| 21 | +# Affected Deployments |
| 22 | + |
| 23 | +If you have an application that uses the Java CAS client to intergrate with a CAS server and is configured to accept and validate JWTs from that server, you are affected and do need to upgrade. If this condition does not pass for your application deployments, there is nothing for you to do here. Keep calm and carry on. |
| 24 | + |
| 25 | +If you or your institution is a member of the Apereo foundation with an active support subscription supporting the CAS project, please [contact the CAS subs working group](https://apereo.github.io/cas/Mailing-Lists.html) to learn more about this security vulnerability report. |
| 26 | + |
| 27 | +# Timeline |
| 28 | + |
| 29 | +The issue was originally reported on May 2nd 2026, and upon confirmation, Java CAS client releases were patched and eventually published on May 20th, 2026. |
| 30 | + |
| 31 | +# Patching |
| 32 | + |
| 33 | +Upgrade your applications to use Java CAS client's version `4.1.1`. |
| 34 | + |
| 35 | +# Support |
| 36 | + |
| 37 | +Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation. Support options may be [found here](https://apereo.github.io/cas/Support.html). |
| 38 | + |
| 39 | +If you or your institution is a **member** of the Apereo foundation with an **active CAS subscription** supporting the CAS project, please [contact the CAS subs working group](https://apereo.github.io/cas/Mailing-Lists.html) to learn more about this security vulnerability. |
| 40 | + |
| 41 | +# Resources |
| 42 | + |
| 43 | +* [CAS Security Vulnerability Response Model](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html) |
| 44 | +* [CAS Maintenance Policy](https://apereo.github.io/cas/developer/Maintenance-Policy.html) |
| 45 | +* [CAS Mailing Lists](https://apereo.github.io/cas/Mailing-Lists.html) |
| 46 | + |
| 47 | +On behalf of the CAS Application Security working group, |
| 48 | + |
| 49 | +[Misagh Moayyed](https://fawnoos.com) |
0 commit comments