First published: Mon Sep 23 2019(Updated: )
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
Credit: report@snyk.io
Affected Software | Affected Version | How to fix |
---|---|---|
Apereo Central Authentication Service | <=6.0.5.1 | |
Apereo Central Authentication Service | =6.1.0-rc1 | |
Apereo Central Authentication Service | =6.1.0-rc2 | |
Apereo Central Authentication Service | =6.1.0-rc3 | |
Apereo Central Authentication Service | =6.1.0-rc4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-10754 is a vulnerability found in Apereo CAS before release 6.1.0-RC5 that makes token and ID generation predictable due to the weak algorithm used.
Apereo Central Authentication Service versions 6.0.5.1, 6.1.0-rc1, 6.1.0-rc2, 6.1.0-rc3, and 6.1.0-rc4 are affected by CVE-2019-10754.
CVE-2019-10754 has a severity rating of 8.1, which is considered high.
To fix CVE-2019-10754, update Apereo CAS to release 6.1.0-RC5 or later.
More information about CVE-2019-10754 can be found at the following references: [Link 1](https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402), [Link 2](https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404), [Link 3](https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406).