The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.
References
Link | Resource |
---|---|
https://snyk.io/vuln/SNYK-JAVA-ORGPAC4J-467407 | Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGPAC4J-467407 | Patch Third Party Advisory |
Configurations
History
21 Nov 2024, 04:19
Type | Values Removed | Values Added |
---|---|---|
References | () https://snyk.io/vuln/SNYK-JAVA-ORGPAC4J-467407 - Patch, Third Party Advisory |
Information
Published : 2019-09-23 23:15
Updated : 2024-11-21 04:19
NVD link : CVE-2019-10755
Mitre link : CVE-2019-10755
CVE.ORG link : CVE-2019-10755
JSON object : View
Products Affected
pac4j
- pac4j
CWE
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)