Linux Distros Unpatched Vulnerability : CVE-2022-39369

🗓️ 27 Aug 2025 00:00:00Reported by TenableType

Unpatched Linux hosts using phpCAS may allow header manipulation to reuse CAS tickets.

Reporter	Title	Published	Views	Family All 60
Circl	CVE-2022-39369	1 Nov 202219:13	–	circl
CNNVD	Apereo CAS 安全漏洞	1 Nov 202200:00	–	cnnvd
CVE	CVE-2022-39369	1 Nov 202200:00	–	cve
Cvelist	CVE-2022-39369 Service Hostname Discovery Exploitation in phpCAS	1 Nov 202200:00	–	cvelist
Debian	[SECURITY] [DLA 3485-1] php-cas security update	8 Jul 202314:03	–	debian
Debian	[SECURITY] [DLA 3486-1] ocsinventory-server update for php-cas	8 Jul 202314:06	–	debian
Debian	[SECURITY] [DLA 3487-1] fusiondirectory security update and rebuild for php-cas	8 Jul 202314:07	–	debian
Debian CVE	CVE-2022-39369	1 Nov 202200:00	–	debiancve
Tenable Nessus	Debian dla-3485 : php-cas - security update	8 Jul 202300:00	–	nessus
Tenable Nessus	Debian dla-3486 : ocsinventory-reports - security update	20 Jul 202300:00	–	nessus

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2022-39369
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(257909);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/08/27");

  script_cve_id("CVE-2022-39369");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2022-39369");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - phpCAS is an authentication library that allows PHP applications to easily authenticate users via a
    Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service
    URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket
    granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service
    protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may
    be any other service URL (if the allowed URLs are configured to ^(https)://.*) or may be strictly
    limited to known and authorized services in the same SSO federation if proper URL service validation is
    applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable
    CASified service without victim's knowledge, when the victim visits attacker's website while being logged
    in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL
    discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting
    this version, it is required to pass in an additional service base URL argument when constructing the
    client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the
    CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in
    phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration
    has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL
    of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only
    when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-
    Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a
    reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server
    service registry is configured to only allow known and trusted service URLs the severity of the
    vulnerability is reduced substantially in its severity since an attacker must be in control of another
    authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.
    (CVE-2022-39369)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2022-39369");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-39369");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/11/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:moodle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ocsinventory-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-cas");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-16.04", "Host/OS/Ubuntu Linux-18.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "moodle"},
          {"reference": "ocsinventory-server"}
        ]
      }
    ]
  },
  "Ubuntu Linux-18.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "18.04",
        "pkgs": [
          {"reference": "moodle"},
          {"reference": "php-cas"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

27 Aug 2025 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 3.18

EPSS0.00989