new post

mmoayyed · mmoayyed · commit b96e15853181 · 2023-10-09T10:13:04.000+04:00
diff --git a/_posts/cas/2023-09-14-oauth-vuln.md b/_posts/cas/2023-09-14-oauth-vuln.md
@@ -7,7 +7,7 @@ tags:       [CAS]
 
 # Overview
 
-This is the initial [Apereo CAS project vulnerability disclosure](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html),
+This is an [Apereo CAS project vulnerability disclosure](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html),
 describing an issue in CAS acting as an OAuth/OpenID Connect provider. If your CAS server is not acting as an OAuth/OpenID Connect provider producing claims and attributes, there is nothing for you to do here. Keep calm and carry on.
 
 For additional details on how security issues, patches and announcements are handled, please read the [Apereo CAS project vulnerability disclosure](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html) process.
@@ -33,7 +33,9 @@ If you or your institution is a member of the Apereo foundation with an active s
 
 # Severity
 
-This is the initial version of an [Apereo CAS project vulnerability disclosure](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html). This post will be updated once the security grace period has passed.
+CAS incorrectly returns and releases a number of internal data structures and attributes in response to OAuth or OpenID Connect requests sent to the *User Profile* endpoint. Such internal data structures often tend to contain sensitive data such as the application policy record, details and metadata describing the authentication attempt, client secret assigned to the relying party, geo-location details when activated and more in plain JSON. 
+
+This mistake is corrected in the patch releases described below.
 
 # Timeline
 
@@ -45,8 +47,6 @@ Patch releases are available to address CAS deployments. Upgrades to the next pa
 
 ## Procedure
 
-This is the initial version of an [Apereo CAS project vulnerability disclosure](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html). All source code and repository tags that contain fixes for this issue are kept privately until the grace period has passed. Note that repository tags are generally irrelevant when it comes to applying fixes described below, unless you intend to build the CAS codebase from source and a tagged commit instead of relying on a binary published release.
-
 ### 6.5.x
 
 Modify your CAS overlay to point to the version `6.5.9.4`.
