← Back

CVE-2019-10754

nvd nist
Published: Sep 23, 2019Modified: Nov 21, 2024

JSON object

Loading...
8.1
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Exploitability: 2.8 / Impact: 5.2
Source: NVD

Description

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

Affected (5)

Apereo
1 product
Central Authentication Service
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Apereo
Central Authentication Service
Up to 6.0.5.1
Central Authentication Service
Version 6.1.0 rc1
Central Authentication Service
Version 6.1.0 rc2
Central Authentication Service
Version 6.1.0 rc3
Central Authentication Service
Version 6.1.0 rc4

Related CWEs

CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

References (10)

Source: report@snyk.io
ExploitPatchThird Party Advisory
Source: report@snyk.io
ExploitPatchThird Party Advisory
Source: report@snyk.io
ExploitPatchThird Party Advisory
Source: report@snyk.io
ExploitPatchThird Party Advisory
Source: report@snyk.io
ExploitPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatchThird Party Advisory

Timeline

No history available yet.