CVE-2019-10754

Опубликовано: 23 сент. 2019

Источник: nvd

CVSS3: 8.1

CVSS2: 5.5

EPSS Низкий

Описание

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

Ссылки

https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apereo:central_authentication_service:*:*:*:*:*:*:*:*

Версия до 6.0.5.1 (включая)

cpe:2.3:a:apereo:central_authentication_service:6.1.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apereo:central_authentication_service:6.1.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apereo:central_authentication_service:6.1.0:rc3:*:*:*:*:*:*

cpe:2.3:a:apereo:central_authentication_service:6.1.0:rc4:*:*:*:*:*:*

EPSS

Процентиль: 60%

0.004

Низкий

8.1 High

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-338

Связанные уязвимости

GHSA-g24w-373r-5pxg