Predictable SAML Identifier in pac4j-saml Affects Security
CVE-2019-10755

4.9MEDIUM

Key Information:

Vendor: Pac4j
Status: Pac4j For Saml Protocol
Vendor: CVE Published:; 23 September 2019

What is CVE-2019-10755?

A security flaw exists in the SAML identifier generation within pac4j-saml's SAML2Utils.java. The system relies on the RandomStringUtils class from apache commons-lang3, which employs a PRNG algorithm that is not cryptographically secure. As a result, the identifiers can be predicted by attackers, potentially leading to unauthorized access or manipulation. This vulnerability specifically impacts the 3.X version of pac4j-saml.

Affected Version(s)

PAC4J For SAML Protocol All versions prior to version 4.0.0-RC1

References

https://snyk.io/vuln/SNYK-JAVA-ORGPAC4J-467407

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2019
Vulnerability Reserved
Apr 3, 2019

CVE-2019-10755 Data

JSON

Pac4j

What is CVE-2019-10755?

Affected Version(s)

References

CVSS V3.1

Timeline