CVE-2019-10754

EUVD-2022-3859
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
PRNG
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
Affected Products (NVD)
VendorProductVersion
apereocentral_authentication_service
𝑥
≤ 6.0.5.1
apereocentral_authentication_service
6.1.0:rc1
apereocentral_authentication_service
6.1.0:rc2
apereocentral_authentication_service
6.1.0:rc3
apereocentral_authentication_service
6.1.0:rc4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869