Description
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
Remediation
References
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Related Vulnerabilities
CVE-2022-29546 Vulnerability in maven package net.sourceforge.htmlunit:neko-htmlunit
CVE-2023-22465 Vulnerability in maven package org.http4s:http4s-core_2.12
CVE-2019-19899 Vulnerability in maven package com.mitchellbosecke:pebble
CVE-2020-35490 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind