Description
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
Remediation
References
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
Related Vulnerabilities
CVE-2020-8149 Vulnerability in npm package logkitty
CVE-2021-42550 Vulnerability in maven package ch.qos.logback:logback-core
CVE-2022-36663 Vulnerability in maven package org.gluu:oxauth-common
CVE-2023-30531 Vulnerability in maven package org.jenkins-ci.plugins:consul-kv-builder
CVE-2023-45133 Vulnerability in maven package org.webjars.npm:babel__traverse