Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
References
Link | Resource |
---|---|
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869 | Exploit Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 04:19
Type | Values Removed | Values Added |
---|---|---|
References | () https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402 - Exploit, Patch, Third Party Advisory | |
References | () https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404 - Exploit, Patch, Third Party Advisory | |
References | () https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406 - Exploit, Patch, Third Party Advisory | |
References | () https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868 - Exploit, Patch, Third Party Advisory | |
References | () https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869 - Exploit, Patch, Third Party Advisory |
Information
Published : 2019-09-23 23:15
Updated : 2024-11-21 04:19
NVD link : CVE-2019-10754
Mitre link : CVE-2019-10754
CVE.ORG link : CVE-2019-10754
JSON object : View
Products Affected
apereo
- central_authentication_service
CWE
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)