Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
References
Link | Resource |
---|---|
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869 | Exploit Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2019-09-23 23:15
Updated : 2024-02-28 17:28
NVD link : CVE-2019-10754
Mitre link : CVE-2019-10754
CVE.ORG link : CVE-2019-10754
JSON object : View
Products Affected
apereo
- central_authentication_service
CWE
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)