High severityNVD Advisory· Published Sep 23, 2019· Updated Aug 4, 2024
CVE-2019-10754
CVE-2019-10754
Description
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apereo.cas:cas-server-support-simple-mfaMaven | < 6.1.0-RC5 | 6.1.0-RC5 |
org.apereo.cas:cas-server-support-oidcMaven | < 6.1.0-RC5 | 6.1.0-RC5 |
org.apereo.cas:cas-server-core-services-apiMaven | < 6.1.0-RC5 | 6.1.0-RC5 |
org.apereo.cas:cas-server-support-oauth-core-apiMaven | < 6.1.0-RC5 | 6.1.0-RC5 |
org.apereo.cas:cas-server-support-shellMaven | < 6.1.0-RC5 | 6.1.0-RC5 |
org.apereo.cas:cas-server-core-services-authenticationMaven | < 6.1.0-RC5 | 6.1.0-RC5 |
Affected products
7- Apereo/CASdescription
- ghsa-coords6 versionspkg:maven/org.apereo.cas/cas-server-core-services-apipkg:maven/org.apereo.cas/cas-server-core-services-authenticationpkg:maven/org.apereo.cas/cas-server-support-oauth-core-apipkg:maven/org.apereo.cas/cas-server-support-oidcpkg:maven/org.apereo.cas/cas-server-support-shellpkg:maven/org.apereo.cas/cas-server-support-simple-mfa
< 6.1.0-RC5+ 5 more
- (no CPE)range: < 6.1.0-RC5
- (no CPE)range: < 6.1.0-RC5
- (no CPE)range: < 6.1.0-RC5
- (no CPE)range: < 6.1.0-RC5
- (no CPE)range: < 6.1.0-RC5
- (no CPE)range: < 6.1.0-RC5
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-g24w-373r-5pxgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10754ghsaADVISORY
- github.com/apereo/cas/commit/40bf278e66786544411c471de5123e7a71826b9fghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.