Key Vulnerability Information Overview Issue: Vulnerability in CAS deployment related to X.509 credentials in the CAS REST API when X.509 functionality is configured to handle revocation via LDAP. Impact: Isolated to X.509 workflow or CAS REST API. Credits Reported by: Michael Stepankin from GitHub Security Lab. Fixed by: Patch incorporated into published releases. Affected Deployments Versions: , Maintenance Policy: For versions under active maintenance, analysis or confirmation indicates no impact if unlisted. Severity Risk: Allows an attacker insight into CAS configuration by crafting a malicious certificate. Even behind a reverse proxy, if the proxy checks certificate validity, the vulnerability is still exploitable if the attacker crafts a signed malicious certificate. Timeline Reported: February 21, 2023. Patched and Published: February 21, 2023. Patching Procedure: - : Upgrade to version . - : Upgrade to version . Support Apache v2 License: Software comes with no warranty. Active Subscription: Contact CAS subs working group for support. Resources Policies: - CAS Security Vulnerability Response Model - CAS Maintenance Policy