Description
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
Remediation
References
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Related Vulnerabilities
CVE-2019-19729 Vulnerability in npm package bson-objectid
CVE-2020-36181 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2022-23437 Vulnerability in maven package xerces:xercesimpl
CVE-2021-23470 Vulnerability in npm package putil-merge
CVE-2021-23518 Vulnerability in npm package cached-path-relative