PT-2019-16725 · Spring · Spring Security

Thijs Alkemade

Published

2019-04-09

Updated

2021-11-02

CVE-2019-3795

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Spring Security versions 4.2.x prior to 4.2.12 Spring Security versions 5.0.x prior to 5.0.12 Spring Security versions 5.1.x prior to 5.1.5

Description The issue concerns an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. To be impacted, an application must provide a seed and make the resulting random material available to an attacker for inspection.

Recommendations For Spring Security versions 4.2.x prior to 4.2.12, update to version 4.2.12 or later. For Spring Security versions 5.0.x prior to 5.0.12, update to version 5.0.12 or later. For Spring Security versions 5.1.x prior to 5.1.5, update to version 5.1.5 or later.

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330

Related Identifiers

CVE-2019-3795

DLA-1794-1

GHSA-V2R2-7QM7-JJ6V

Affected Products

Spring Security

PT-2019-16725 · Spring · Spring Security

CVE-2019-3795

Weakness Enumeration

Related Identifiers

Affected Products

References · 12