Lucene search

[email protected]CVE-2019-3795

HistoryApr 09, 2019 - 4:29 p.m.

CVE-2019-3795

2019-04-0916:29:00

CWE-330

[email protected]

web.nvd.nist.gov

cve-2019-3795

spring security

vulnerability

nvd

insecure

randomness

securerandom

securerandomfactorybean

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.2 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

75.1%

JSON

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

CPENameOperatorVersion
vmware:spring_securityvmware spring securitylt4.2.12
vmware:spring_securityvmware spring securitylt5.0.12
vmware:spring_securityvmware spring securitylt5.1.5
debian:debian_linuxdebian debian linuxeq8.0

CPE	Name	Operator	Version
vmware:spring_security	vmware spring security	lt	4.2.12
vmware:spring_security	vmware spring security	lt	5.0.12
vmware:spring_security	vmware spring security	lt	5.1.5
debian:debian_linux	debian debian linux	eq	8.0