PT-2019-12028 · Apache+1 · Apache Commons Lang+1

Published

2019-09-23

Updated

2022-05-24

CVE-2019-10754

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apereo CAS versions prior to 6.1.0-RC5

Description The issue arises from the use of apache commons-lang3 RandomStringUtils for token and ID generation in multiple classes within Apereo CAS. This makes the generated tokens and IDs predictable due to the pseudo-random number generator (PRNG) algorithm used by RandomStringUtils not being cryptographically strong.

Recommendations For versions prior to 6.1.0-RC5, update to version 6.1.0-RC5 or later to resolve the issue.

Exploit

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330CWE-338

Related Identifiers

CVE-2019-10754

GHSA-G24W-373R-5PXG

SNYK-JAVA-ORGAPEREOCAS-467402

SNYK-JAVA-ORGAPEREOCAS-467404

SNYK-JAVA-ORGAPEREOCAS-467406

SNYK-JAVA-ORGAPEREOCAS-468868

SNYK-JAVA-ORGAPEREOCAS-468869

Affected Products

Apache Commons Lang

Apereo Cas

PT-2019-12028 · Apache+1 · Apache Commons Lang+1

CVE-2019-10754

Weakness Enumeration

Related Identifiers

Affected Products

References · 11