CVE-2019-3795 vulnerability in Pivotal Software and Other Products
Published on April 9, 2019

Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

NVD

Weakness Type

Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

Products Associated with CVE-2019-3795

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-3795 are published in these products:

Pivotal Software Spring Security

VMware Spring Security

Debian Linux

Affected Versions

Spring Security:

Version 5.0 and below 5.0.11.RELEASE is affected.
Version 5.1 and below 5.1.4.RELEASE is affected.
Version 4.2 and below 4.2.11.RELEASE is affected.

Exploit Probability

EPSS

0.55%

Percentile

67.61%