CVE-2019-3795
Last modified
CVE-2019-3795 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.. EPSS estimates a 1.88% chance of exploitation in the next 30 days.
Description
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Security | >= 4.2.0, < 4.2.12 |
| Vmware | Spring Security | >= 5.0.0, < 5.0.12 |
| Vmware | Spring Security | >= 5.1.0, < 5.1.5 |
| Debian | Debian Linux | 8.0 |
References
- http://www.securityfocus.com/bid/107802Third Party Advisory, VDB Entry
- https://lists.debian.org/debian-lts-announce/2019/05/msg00026.htmlMailing List, Third Party Advisory
- https://pivotal.io/security/cve-2019-3795Vendor Advisory
- http://www.securityfocus.com/bid/107802Third Party Advisory, VDB Entry
- https://lists.debian.org/debian-lts-announce/2019/05/msg00026.htmlMailing List, Third Party Advisory
- https://pivotal.io/security/cve-2019-3795Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-3795?
How severe is CVE-2019-3795?
How do I fix CVE-2019-3795?
Are you affected by CVE-2019-3795?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST