CAS Vulnerability Disclosure


This is an Apereo CAS project vulnerability disclosure, describing an issue in CAS that affects random number generation.

Apereo CAS is using an insecure source of randomness to generate its password reset URL among other things. This is because Apereo CAS relies upon apache commons lang3 RandomStringUtils. From the documentation of this class:

Caveat: Instances of Random, upon which the implementation of this class relies, are not cryptographically secure.

The following areas and components in CAS make use of RandomStringUtils to generate a random number:

  • Password reset URL, when CAS Password Management is turned on.
  • Internal token identifiers when CAS is acting as a simple multifactor authentication provider.
  • JWT encryption key generation, when used specifically via the CAS command-line shell.
  • OAuth user device code
  • Anonymous or transient username identifiers


Applications for CVEs were submitted to MITRE for approval by the folks at



Special thanks to Jonathan Leitschuh for originally reporting the issue to the CAS application security group, and the good folks at who graciously and patiently provided additional guidance and assistance.

Affected Deployments

The attack vector applies to deployments of the CAS server for the versions:

- 5.3.x
- 6.0.x
- 6.1.x

Previous CAS versions are considered EOL and are advised to upgrade.


Most if not all references to RandomStringUtils in CAS are purely used internally and have no significant impact on the security of the deployment or connected integrations. The only possible exception might be the generation of password reset urls when the password management functionality is turned on with the assumption that one can craft a reset URL which:

  • contains a compromised token that is identical to the one tracked and created by CAS.
  • is still valid within the configured expiration timeframe.
  • is signed and encrypted using the same keypair used by CAS.

The severity of this issue is considered low for CAS, though it is recommended that upgrades be carried out to removes any chances of security breaches.


Patch releases are available to address relevant CAS deployments. The patch effectively replaces usages of RandomStringUtils for random number generation with one that relies on a more secure strategy. Upgrades to the next patch version for each release should be a drop-in replacement.


The issue was originally reported to the CAS application security team on September 17th, 2019 and upon confirmation, CAS was patched.



Modify your CAS overlay to point to the version A snippet of a pom.xml for a CAS overlay follows:




Modify your CAS overlay to point to the version A snippet of a for a CAS overlay follows:



Modify your CAS overlay to point to the version 6.1.0. A snippet of a for a CAS overlay follows:



CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.


On behalf of the CAS Application Security working group,

Misagh Moayyed

Related Posts

CAS 6.2.0 RC3 Feature Release which I present an overview of CAS 6.2.0 RC3 release.

Checking Out Pull Requests Locally

Check out GitHub pull requests as local branches using a simple bash function.

CAS 6.2.0 RC2 Feature Release which I present an overview of CAS 6.2.0 RC2 release.

Apereo CAS - Authentication Handler Resolution

Learn how to resolve and select authentication handlers based on configurable and flexible filtering criteria.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Apereo CAS - SAML2 Metadata Overrides

Learn how to manage SAML2 service provider registrations in CAS and override metadata artifacts on a per-application basis.

Apereo CAS - Managing Configuration Metadata

Learn how to manage CAS configuration and properties using Spring Boot Configuration metadata.

CAS 6.2.0 RC1 Feature Release which I present an overview of CAS 6.2.0 RC1 release.

Apereo CAS - Deployment Using systemd

Fabio Martelli of Tirasa S.r.l reviews the setup required to deploy Apereo CAS as a system service using systemd.

Apereo CAS - Python Locust Load Testing

Learn to Performance Test Apereo CAS with Python Locust.