Description
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
References (5)
Core 5
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
Scores
CVSS v3
8.1
EPSS
0.0175
EPSS Percentile
74.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-338
Status
published
Products (8)
apereo/central_authentication_service
6.1.0 rc1 (4 CPE variants)
apereo/central_authentication_service
< 6.0.5.1
org.apereo.cas/cas-server-core-services-api
0 - 6.1.0-RC5Maven
org.apereo.cas/cas-server-core-services-authentication
0 - 6.1.0-RC5Maven
org.apereo.cas/cas-server-support-oauth-core-api
0 - 6.1.0-RC5Maven
org.apereo.cas/cas-server-support-oidc
0 - 6.1.0-RC5Maven
org.apereo.cas/cas-server-support-shell
0 - 6.1.0-RC5Maven
org.apereo.cas/cas-server-support-simple-mfa
0 - 6.1.0-RC5Maven
Published
Sep 23, 2019
Tracked Since
Feb 18, 2026