CVE-2019-3795 – org.springframework.security:spring-security-core

Package

Manager: maven
Name: org.springframework.security:spring-security-core
Vulnerable Version: >=4.2.0 <4.2.12 || >=5.0.0 <5.0.12 || >=5.1.0 <5.1.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01961 pctl0.8279

Details

Spring Security uses insufficiently random values Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Metadata

Created: 2019-04-16T15:10:59Z
Modified: 2022-11-17T19:45:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-v2r2-7qm7-jj6v/GHSA-v2r2-7qm7-jj6v.json
CWE IDs: ["CWE-330"]
Alternative ID: GHSA-v2r2-7qm7-jj6v
Finding: F034
Auto approve: 1