From: "'Evdokimov, Timur(AWF)' via CAS Developer" <[hidden email]> Reply to: "Evdokimov, Timur(AWF)" <[hidden email]> Date: Friday, 6 September 2019 at 13:21 To: "[hidden email]" <[hidden email]> Subject: [cas-dev] Race condition in org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController
Seems like commit 0b465e34b6ff594a177fa9118c87a13cff349374 (July 18th 2019) has introduced a dangerous race condition in
Before, ‘callback’ was created per request, now it is shared among all threads accessing it.
As a result, callback.getRedirectUrl() sometimes returns the same value for two or more threads accessing it.
It looks rather like a high profile security issue, since redirect URL contains ‘state’ value that would allow one user to impersonate another, should they hit CAS at the same millisecond.