Predictable Token and ID Generation in Apereo CAS Before 6.1.0-RC5

Predictable Token and ID Generation in Apereo CAS Before 6.1.0-RC5

CVE-2019-10754 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

Learn more about our Cis Benchmark Audit For Apache Http Server.