All Vulnerability Reports

CVE-2019-3795: Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security


Severity

Low

Vendor

Spring by Pivotal

Description

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • Spring Security 4.2 to 4.2.11
  • Spring Security 5.0 to 5.0.11
  • Spring Security 5.1 to 5.1.4
Mitigation

Users of affected versions should apply the following mitigation:

  • 4.2.x users should upgrade to 4.2.12
  • 5.0.x users should upgrade to 5.0.12
  • 5.1.x users should upgrade to 5.1.5
Credit

This issue was identified and responsibly reported by Thijs Alkemade.

History

2019-04-02: Initial vulnerability report published.

Contactez-nous