The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG’s algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.
[
{
"product": "PAC4J For SAML Protocol",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 4.0.0-RC1"
}
]
}
]