Fluid Attacks Database

Description

Spring Security uses insufficiently random values Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework.security:spring-security-core	>=4.2.0 <4.2.12 \|\| >=5.0.0 <5.0.12 \|\| >=5.1.0 <5.1.5	4.2.12, 5.0.12, 5.1.5
maven	org.springframework.security:spring-security-cas	>=4.2.0.release <4.2.12.release \|\| >=5.0.0.release <5.0.12.release \|\| >=5.1.0.release <5.1.5.release	4.2.12.release, 5.0.12.release, 5.1.5.release
maven	org.springframework:spring-core	>=4.2.0 <4.2.12 \|\| >=5.0.0 <5.0.12 \|\| >=5.1.0 <5.1.5	4.3.0.release, 5.0.13.release, 5.1.6.release

Aliases

1. CVE-2019-37952. NVD-2019-37953. OSV-2019-37954. GHSA-v2r2-7qm7-jj6v5. GCVE-2019-37956. lists.debian.org7. PIVOTAL-cve-2019-3795

References

1. https://pivotal.io/security/cve-2019-37952. http://www.securityfocus.com/bid/107802