PT-2019-16725 · Spring · Spring Security

Thijs Alkemade

Publicado

2019-04-09

Atualizado

2021-11-02

CVE-2019-3795

CVSS v3.1

5.3

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Spring Security versions 4.2.x prior to 4.2.12 Spring Security versions 5.0.x prior to 5.0.12 Spring Security versions 5.1.x prior to 5.1.5

Description The issue concerns an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. To be impacted, an application must provide a seed and make the resulting random material available to an attacker for inspection.

Recommendations For Spring Security versions 4.2.x prior to 4.2.12, update to version 4.2.12 or later. For Spring Security versions 5.0.x prior to 5.0.12, update to version 5.0.12 or later. For Spring Security versions 5.1.x prior to 5.1.5, update to version 5.1.5 or later.

Correção

Use of Insufficiently Random Values

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-330

Identificadores relacionados

CVE-2019-3795

DLA-1794-1

GHSA-V2R2-7QM7-JJ6V

Produtos afetados

Spring Security

PT-2019-16725 · Spring · Spring Security

CVE-2019-3795

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 12