CVE-2019-3795
published 2019-04-09CVE-2019-3795: Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using…
medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| spring | spring_security | >= 4.2 < 4.2.11.RELEASE | 4.2.11.RELEASE |
| spring | spring_security | >= 5.0 < 5.0.11.RELEASE | 5.0.11.RELEASE |
| spring | spring_security | >= 5.1 < 5.1.4.RELEASE | 5.1.4.RELEASE |
| vmware | spring_security | >= 4.2.0 < 4.2.12 | 4.2.12 |
| vmware | spring_security | >= 5.0.0 < 5.0.12 | 5.0.12 |
| vmware | spring_security | >= 5.1.0 < 5.1.5 | 5.1.5 |