CVE-2019-10754

HIGH

Apereo CAS <6.1.0-RC5 - Info Disclosure

Title source: llm

Description

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

References (5)

[Exploit, Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406

[Exploit, Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402

[Exploit, Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404

[Exploit, Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869

[Exploit, Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868

Scores

CVSS v3 8.1

EPSS 0.0040

EPSS Percentile 60.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-338

Status published

Products (8)

apereo/central_authentication_service 6.1.0 rc1 (4 CPE variants)

apereo/central_authentication_service < 6.0.5.1

org.apereo.cas/cas-server-core-services-api 0 - 6.1.0-RC5Maven

org.apereo.cas/cas-server-core-services-authentication 0 - 6.1.0-RC5Maven

org.apereo.cas/cas-server-support-oauth-core-api 0 - 6.1.0-RC5Maven

org.apereo.cas/cas-server-support-oidc 0 - 6.1.0-RC5Maven

org.apereo.cas/cas-server-support-shell 0 - 6.1.0-RC5Maven

org.apereo.cas/cas-server-support-simple-mfa 0 - 6.1.0-RC5Maven

Published Sep 23, 2019

Tracked Since Feb 18, 2026