CVE-2019-10755

Summary

The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.

Affected Software

VendorProductVersion RangeStatus
n/aPAC4J For SAML ProtocolAll versions prior to version 4.0.0-RC1affected

Weaknesses

  • Insecure Randomness

ADP Enrichment

CVE Program Container

Additional References

References