CVE-2019-3795

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBeansetSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make...

Design/Logic Flaw

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBeansetSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make...

CVE-2019-3795

CVE-2019-3795 affects Spring Security: insecure randomness when SecureRandomFactoryBean#setSeed is used to configure a SecureRandom. Impact requires the application to supply a seed and expose the resulting random material to an attacker. Affected releases include Spring Security 4.2.x before 4.2...

CVE-2019-3795 Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBeansetSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make...

Information Disclosure

spring-data-jpa is vulnerable to information disclosure. Derived queries using any of the predicates startingWith, endingWith or containing could return more results than anticipated when a maliciously crafted query parameter value is supplied. LIKE expressions in manually defined queries could...

CVE-2019-3797

This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE...

CVE-2019-10907

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users...

CVE-2019-10907

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users...

CVE-2019-10907

Airsonic 10.2.1 is affected. The CVE describes that Spring’s remember-me feature is used with MD5 and a fixed key (class GlobalSecurityConfig.java, key: uitstairsonic? actually the document says fixed key of airsonic). An attacker who can capture cookies could offline-bruteforce user passwords. T...

Insecure Randomness

spring-security-core is vulnerable to insecure randomness. The vulnerability exists because it does not use a secure way of generating randomness in SecureRandomFactoryBeansetSeed to configure a SecureRandom instance...

CVE-2019-3778

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...

Security Bulletin: Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench affected by Spring vulnerability (CVE-2018-15756)

Summary The Spring framework is vulnerable to a security issue affecting the Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench. Vulnerability Details CVEID: CVE-2018-15756 DESCRIPTION: Pivotal Spring Framework is vulnerable to a denial of...

Spring Framework JAR Detection

Binary data springjardetection.nbin...

am.ik.home:uaa-client (>=1.0.0 <=1.9.0), am.ik.home:uaa-integration-test (>=1.0.0 <=1.9.0) +537 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=1.0.0.RELEASE <=2.0.16.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =1.0.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =1.0.0, =A.1.1.0, =A.1.1.0, =A.1.1.0, =A.1.1.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.1.11 - com.17jee:e-security-token =3.0.1.11 and more Source cves: CVE-2019-3778 Source...

com.alexbt:springboot-autoconfigure-openid-oauth (=1.0.9), com.appdirect:service-integration-sdk (>=1.24 <=v11.129.7) +10 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth (>=2.0.10.RELEASE <=2.0.14.RELEASE)

org.springframework.security.oauth:spring-security-oauth MAVEN version =2.0.10.RELEASE, =1.24, =2.7.4.7, =2.7.4.7, =2.7.4.7, =3.3.0.4, =3.3.0.4, =2.7.4.7, =4.4.0 Source cves: CVE-2019-3778 Source advisory: OSV:GHSA-77RV-6VFW-X4GC...

br.com.anteros:Anteros-Security-Spring (>=2.0.0 <=2.0.20), br.com.anteros:Anteros-Security-Spring-Mongo (>=1.0.0 <=1.0.5) +284 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=2.3.0.RELEASE <=2.3.4.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.3.0.RELEASE, =2.0.0, =1.0.0, =1.0.0, =1.0.6, =1.0.6, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2019-3778 Source advisory: OSV:GHSA-77RV-6VFW-X4GC...

au.org.consumerdatastandards:client-cli (>=1.1.1 <=2.4.1), fm.pattern:tokamak-authorization (=1.0.1) +17 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=2.1.0.RELEASE <=2.1.1.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.1.0.RELEASE, =1.1.1, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.9.0, =1.9.0, =1.3.0, =1.3.0, =1.3.4 and more Source cves: CVE-2019-3778 Source advisory: OSV:GHSA-77RV-6VFW-X4GChttps://vulners.c...

br.com.anteros:Anteros-Keycloak (=1.0.0), cloud.altemista.fwk.framework:cloud-altemistafwk-documentation (=3.1.0.RELEASE) +69 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=2.2.0.RELEASE <=2.2.3.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.2.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =1.0.0, =1.0.0, =3.3.2, =4.0.1 - com.ge.research.semtk:springSecurityLibrary =2.2.2 -...

CVE-2019-3778 Open Redirect in spring-security-oauth2

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...

CVE-2019-3778

The CVE-2019-3778 entry concerns an open redirect vulnerability in Spring Security OAuth where an attacker can abuse the redirect_uri parameter at the authorization endpoint to redirect a user-agent to an attacker-controlled URI, leaking the authorization code. Affected are older Spring Security ...