8.1

CVE-2019-10754

Exploit

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApereoCentral Authentication Service Version <= 6.0.5.1
ApereoCentral Authentication Service Version6.1.0 Updaterc1
ApereoCentral Authentication Service Version6.1.0 Updaterc2
ApereoCentral Authentication Service Version6.1.0 Updaterc3
ApereoCentral Authentication Service Version6.1.0 Updaterc4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.42% 0.591
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov 5.5 8 4.9
AV:N/AC:L/Au:S/C:P/I:P/A:N
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467402
Patch
Third Party Advisory
Exploit
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467404
Patch
Third Party Advisory
Exploit
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-467406
Patch
Third Party Advisory
Exploit
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468868
Patch
Third Party Advisory
Exploit
https://snyk.io/vuln/SNYK-JAVA-ORGAPEREOCAS-468869
Patch
Third Party Advisory
Exploit