Base Score

HIGH8.1

CVE-2019-10754

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

VectorNETWORK

Published Byreport@snyk.io

Published DateSep 23, 2019, 23:15

Affected Versions(6)

org.apereo.cas:cas-server-support-simple-mfa(Maven)

Introduced0

Fixed6.1.0-RC5

LimitN/A

org.apereo.cas:cas-server-support-oidc(Maven)

Introduced0

Fixed6.1.0-RC5

LimitN/A

org.apereo.cas:cas-server-core-services-api(Maven)

Introduced0

Fixed6.1.0-RC5

LimitN/A

org.apereo.cas:cas-server-support-oauth-core-api(Maven)

Introduced0

Fixed6.1.0-RC5

LimitN/A

org.apereo.cas:cas-server-support-shell(Maven)

Introduced0

Fixed6.1.0-RC5

LimitN/A

org.apereo.cas:cas-server-core-services-authentication(Maven)

Introduced0

Fixed6.1.0-RC5

LimitN/A

Package (Ecosystem)	Fixed	Limit
org.apereo.cas:cas-server-support-simple-mfa(Maven)	6.1.0-RC5	N/A
org.apereo.cas:cas-server-support-oidc(Maven)	6.1.0-RC5	N/A
org.apereo.cas:cas-server-core-services-api(Maven)	6.1.0-RC5	N/A
org.apereo.cas:cas-server-support-oauth-core-api(Maven)	6.1.0-RC5	N/A
org.apereo.cas:cas-server-support-shell(Maven)	6.1.0-RC5	N/A
org.apereo.cas:cas-server-core-services-authentication(Maven)	6.1.0-RC5	N/A

Weakness Type (CWE):CWE-338

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

Base Score

HIGH8.1

Weakness Type (CWE):CWE-338

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

CVE-2019-10754

VectorNETWORK

Published Byreport@snyk.io

Published DateSep 23, 2019, 23:15

Package (Ecosystem)

Introduced

Fixed

Limit

org.apereo.cas:cas-server-support-simple-mfa(Maven)

6.1.0-RC5

N/A

org.apereo.cas:cas-server-support-oidc(Maven)

6.1.0-RC5

N/A

org.apereo.cas:cas-server-core-services-api(Maven)

6.1.0-RC5

N/A

org.apereo.cas:cas-server-support-oauth-core-api(Maven)

6.1.0-RC5

N/A

org.apereo.cas:cas-server-support-shell(Maven)

6.1.0-RC5

N/A

org.apereo.cas:cas-server-core-services-authentication(Maven)

6.1.0-RC5

N/A