Affected versions
Symfony versions >=7.1, <7.4.12, >=8, <8.0.12 of the Symfony Security HTTP component are affected by this security issue.
The issue has been fixed in Symfony 7.4.12, 8.0.12.
Description
Cas2Handler builds this service parameter from Request::getSchemeAndHttpHost(), which reflects the attacker-controlled HTTP Host header whenever Symfony's framework.trusted_hosts setting is not configured (the default). An attacker who controls any other application registered with the same CAS server can replay a victim's ticket against the Symfony application, with a spoofed Host header, and be authenticated as that victim.
Resolution
Cas2Handler now requires framework.trusted_hosts to be configured (equivalently, Request::setTrustedHosts() must have been called); it throws a LogicException otherwise. With trusted hosts configured, requests carrying a spoofed Host header are rejected by HttpFoundation as SuspiciousOperationException before the CAS service parameter is built, preventing cross-service ticket replay.
The patch for this issue is available here for branch 7.4.
Credits
We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Nicolas Grekas for providing the fix.