Vulnerability in Apereo Central_authentication_service

CVE-2019-10754

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographic…

EPSS: 0.018 (75.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.

Affected products

Weakness classification (CWE)

References

  • report@snyk.io (Exploit, Patch, Third Party Advisory, x_refsource_MISC)
  • report@snyk.io (Exploit, Patch, Third Party Advisory, x_refsource_MISC)
  • report@snyk.io (Exploit, Patch, Third Party Advisory, x_refsource_MISC)
  • report@snyk.io (Exploit, Patch, Third Party Advisory, x_refsource_MISC)
  • report@snyk.io (Exploit, Patch, Third Party Advisory, x_refsource_MISC)

Frequently asked questions

What is CVE-2019-10754?
CVE-2019-10754 is a high-severity vulnerability in Apereo Central_authentication_service, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). CVSS score: 8.1/10. Published 2019-09-23.
How severe is CVE-2019-10754?
High severity. CVSS v3 base score is 8.1 out of 10.