Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
References
Link | Resource |
---|---|
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869 | Exploit Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: snyk
Published: 2019-09-23T22:09:32
Updated: 2019-09-23T22:09:32
Reserved: 2019-04-03T00:00:00
Link: CVE-2019-10754
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-09-23T23:15:10.640
Modified: 2019-09-24T13:59:44.637
Link: CVE-2019-10754
JSON object: View
Redhat Information
No data.
CWE