Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG’s algorithm not being cryptographically strong.
References
- https://nvd.nist.gov/vuln/detail/CVE-2019-10754
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
- https://github.com/apereo/cas/commit/40bf278e66786544411c471de5123e7a71826b9f
- https://github.com/advisories/GHSA-g24w-373r-5pxg