Описание
Use of Cryptographically Weak Pseudo-Random Number Generator in org.pac4j:pac4j-saml
The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.
Пакеты
Наименование
org.pac4j:pac4j-saml
maven
Затронутые версииВерсия исправления
< 3.8.2
3.8.2
Связанные уязвимости
CVSS3: 4.9
nvd
больше 6 лет назад
The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.