Vulnerabilities > CVE-2019-10754 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apereo Central Authentication Service
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
NONE Summary
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869