Description
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
Remediation
References
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Related Vulnerabilities
CVE-2023-43961 Vulnerability in maven package cn.dev33:sa-token-core
CVE-2018-16487 Vulnerability in maven package org.webjars.bower:lodash
CVE-2023-49377 Vulnerability in maven package com.jfinal:jfinal
CVE-2022-35949 Vulnerability in npm package undici
CVE-2022-43426 Vulnerability in maven package io.jenkins.plugins:s3explorer