GHSA-g24w-373r-5pxg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g24w-373r-5pxg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g24w-373r-5pxg/GHSA-g24w-373r-5pxg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g24w-373r-5pxg
- Aliases
- Published
- 2022-05-24T16:56:41Z
- Modified
- 2025-01-14T07:14:26.961906Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Use of Insufficiently Random Values in Apereo CAS
- Details
-
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
- Database specific
{ "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-330", "CWE-338" ], "github_reviewed_at": "2022-11-01T23:37:32Z", "nvd_published_at": "2019-09-23T23:15:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-10754
- https://github.com/apereo/cas/commit/40bf278e66786544411c471de5123e7a71826b9f
- https://github.com/apereo/cas
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
- https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Affected packages
Maven
org.apereo.cas:cas-server-support-simple-mfa
Package
- Name
- org.apereo.cas:cas-server-support-simple-mfa
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apereo.cas/cas-server-support-simple-mfa
org.apereo.cas:cas-server-support-oidc
Package
- Name
- org.apereo.cas:cas-server-support-oidc
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apereo.cas/cas-server-support-oidc
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.0-RC5
Affected versions
v6.*
v6.4.0-RC5
v6.4.0-RC6
5.*
5.0.0.M1
5.0.0.M2
5.0.0.M3
5.0.0.RC1
5.0.0.RC2
5.0.0.RC3
5.0.0.RC4
5.0.0
5.0.1
5.0.2
5.0.3
5.0.3.1
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.1.0-RC1
5.1.0-RC2
5.1.0-RC3
5.1.0-RC4
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.2.0-RC1
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.12.1
5.3.13
5.3.14
5.3.15
5.3.15.1
5.3.16
6.*
6.0.0-RC1
6.0.0-RC2
6.0.0-RC3
6.0.0-RC4
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.5.1
6.0.6
6.0.7
6.0.8
6.0.8.1
6.1.0-RC1
6.1.0-RC2
6.1.0-RC3
6.1.0-RC4
org.apereo.cas:cas-server-core-services-api
Package
- Name
- org.apereo.cas:cas-server-core-services-api
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apereo.cas/cas-server-core-services-api
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.0-RC5
Affected versions
v6.*
v6.4.0-RC5
v6.4.0-RC6
5.*
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.12.1
5.3.13
5.3.14
5.3.15
5.3.15.1
5.3.16
6.*
6.0.0-RC1
6.0.0-RC2
6.0.0-RC3
6.0.0-RC4
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.5.1
6.0.6
6.0.7
6.0.8
6.0.8.1
6.1.0-RC1
6.1.0-RC2
6.1.0-RC3
6.1.0-RC4
org.apereo.cas:cas-server-support-oauth-core-api
Package
- Name
- org.apereo.cas:cas-server-support-oauth-core-api
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apereo.cas/cas-server-support-oauth-core-api
org.apereo.cas:cas-server-support-shell
Package
- Name
- org.apereo.cas:cas-server-support-shell
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apereo.cas/cas-server-support-shell
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.0-RC5
Affected versions
v6.*
v6.4.0-RC5
v6.4.0-RC6
5.*
5.0.0.M2
5.0.0.M3
5.0.0.RC1
5.0.0.RC2
5.0.0.RC3
5.0.0.RC4
5.0.0
5.0.1
5.0.2
5.0.3
5.0.3.1
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.1.0-RC1
5.1.0-RC2
5.1.0-RC3
5.1.0-RC4
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.2.0-RC1
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.12.1
5.3.13
5.3.14
5.3.15
5.3.15.1
5.3.16
6.*
6.0.0-RC1
6.0.0-RC2
6.0.0-RC3
6.0.0-RC4
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.5.1
6.0.6
6.0.7
6.0.8
6.0.8.1
6.1.0-RC1
6.1.0-RC2
6.1.0-RC3
6.1.0-RC4
org.apereo.cas:cas-server-core-services-authentication
Package
- Name
- org.apereo.cas:cas-server-core-services-authentication
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apereo.cas/cas-server-core-services-authentication
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.0-RC5
Affected versions
v6.*
v6.4.0-RC5
v6.4.0-RC6
5.*
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.12.1
5.3.13
5.3.14
5.3.15
5.3.15.1
5.3.16
6.*
6.0.0-RC1
6.0.0-RC2
6.0.0-RC3
6.0.0-RC4
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.5.1
6.0.6
6.0.7
6.0.8
6.0.8.1
6.1.0-RC1
6.1.0-RC2
6.1.0-RC3
6.1.0-RC4