Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security
CVE-2019-3795

3.8LOW

Key Information:

Vendor: Spring
Status: Spring Security
Vendor: CVE Published:; 9 April 2019

🔔 Create Spring Vulnerability Alert

What is CVE-2019-3795?

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Affected Version(s)

Spring Security 5.0 < 5.0.11.RELEASE

Spring Security 5.1 < 5.1.4.RELEASE

Spring Security 4.2 < 4.2.11.RELEASE

References

https://pivotal.io/security/cve-2019-3795

x_refsource_CONFIRM

http://www.securityfocus.com/bid/107802

vdb-entryx_refsource_BID

https://lists.debian.org/debian-lts-announce/2019/05/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Physical

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2019
Vulnerability Reserved
Jan 3, 2019

.