CVE-2019-10755

MEDIUM

Pac4j-SAML 3.X - Info Disclosure

Title source: llm

Description

The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.

References (1)

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGPAC4J-467407

Scores

CVSS v3 4.9

EPSS 0.0031

EPSS Percentile 54.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-338

Status published

Products (2)

org.pac4j/pac4j-saml 0 - 3.8.2Maven

pac4j/pac4j 3.0.0 - 3.8.2

Published Sep 23, 2019

Tracked Since Feb 18, 2026