Insecure Randomness Affecting org.springframework.security:spring-security-core package, versions [4.2.0.RELEASE, 4.2.12.RELEASE) [5.0.0.RELEASE, 5.0.12.RELEASE) [5.1.0.RELEASE, 5.1.5.RELEASE)
Snyk CVSS
Attack Complexity
High
Threat Intelligence
EPSS
0.46% (76th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-174111
- published 5 Apr 2019
- disclosed 2 Apr 2019
- credit Thijs Alkemade
Introduced: 2 Apr 2019
CVE-2019-3795 Open this link in a new tabHow to fix?
Upgrade org.springframework.security:spring-security-core to version 4.2.12.RELEASE, 5.0.12.RELEASE, 5.1.5.RELEASE or higher.
Overview
org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.
Affected versions of this package are vulnerable to Insecure Randomness due to the usage of SecureRandomFactoryBean#setSeed function to configure a SecureRandom instance. In order for exploitation, an attacker will need to obtain the content generated from an application's seed value.