Insecure Random Number Generation
Description
RandomStringUtils uses java.util.Random by default which is not suitable for security. It is recommended to use a cryptographically secure pseudo-random number generator (CSPRNG) instead.
Examples
Insecure Code
java
RandomStringUtils.random(10);Secure Code
java
RandomStringUtils.random(10, 0, 10, true, true, null, new SecureRandom());Remediation
Use SecureRandom instead of the default Random, e.g., RandomStringUtils.random(10, 0, 10, true, true, null, new SecureRandom());
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0100 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-338 |
| Confidence | LOW |
| Impact | LOW |
| Likelihood | LOW |
| Exploitability | MODERATE |
| Tags | randomness, security |
| OWASP | A9: Using Components with Known Vulnerabilities |