Moderate severityNVD Advisory· Published Apr 9, 2019· Updated Sep 17, 2024
Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security
CVE-2019-3795
Description
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | >= 4.2.0, < 4.2.12 | 4.2.12 |
org.springframework.security:spring-security-coreMaven | >= 5.0.0, < 5.0.12 | 5.0.12 |
org.springframework.security:spring-security-coreMaven | >= 5.1.0, < 5.1.5 | 5.1.5 |
Affected products
2- Range: 5.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-v2r2-7qm7-jj6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-3795ghsaADVISORY
- www.securityfocus.com/bid/107802ghsavdb-entryx_refsource_BIDWEB
- lists.debian.org/debian-lts-announce/2019/05/msg00026.htmlghsamailing-listx_refsource_MLISTWEB
- pivotal.io/security/cve-2019-3795ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.