CVE-2019-10754: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
(updated )
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG’s algorithm not being cryptographically strong.
References
- github.com/advisories/GHSA-g24w-373r-5pxg
- github.com/apereo/cas/commit/40bf278e66786544411c471de5123e7a71826b9f
- nvd.nist.gov/vuln/detail/CVE-2019-10754
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Detect and mitigate CVE-2019-10754 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →