Description
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
Remediation
References
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Related Vulnerabilities
CVE-2023-39153 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-oauth
CVE-2015-0250 Vulnerability in maven package batik:batik-transcoder
CVE-2022-36904 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector
CVE-2016-10735 Vulnerability in maven package org.ow2.jonas:bootstrap
CVE-2022-2564 Vulnerability in maven package org.webjars.npm:mongoose