Plattform
java
Komponente
spring-security
Behoben in
4.2.12.RELEASE
5.0.12.RELEASE
5.1.5.RELEASE
CVE-2019-3795 describes an insecure randomness vulnerability found in Spring Security. This vulnerability allows an attacker to potentially predict random numbers generated by the application if a seed is provided and the resulting random material is exposed. The vulnerability impacts Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5. A fix is available in version 5.1.4.RELEASE.
The primary impact of CVE-2019-3795 lies in the predictability of random numbers generated by the affected Spring Security components. If an application relies on these random numbers for security-sensitive operations, such as generating session IDs, tokens, or encryption keys, an attacker could potentially predict these values. This could lead to session hijacking, unauthorized access to resources, or other security breaches. The vulnerability requires an honest application to provide a seed and expose the resulting random material, making exploitation dependent on specific application configurations and behaviors.
CVE-2019-3795 was publicly disclosed on April 9, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. The CVSS score is LOW (3.8), reflecting the relatively limited impact and specific conditions required for exploitation. No entries are present on the CISA KEV catalog.
Applications heavily reliant on Spring Security for authentication and authorization, particularly those that generate cryptographic keys or session IDs using SecureRandomFactoryBean and expose the resulting random data, are at increased risk. Systems using older, unpatched versions of Spring Security (≤5.1.4.RELEASE) are directly vulnerable.
• java / server:
# Check Spring Security version
java -jar your_application.jar | grep 'Spring Security' • java / supply-chain:
# Check for vulnerable dependencies in Maven project
mvn dependency:tree | grep 'spring-security' • generic web:
# Check for potential seed exposure in application logs
grep -i 'seed=' /var/log/your_application/*.logdisclosure
Exploit-Status
EPSS
0.55% (68% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-3795 is to upgrade to a version of Spring Security that addresses the vulnerability. Specifically, upgrade to version 5.1.4.RELEASE or later. If upgrading is not immediately feasible, consider isolating the SecureRandomFactoryBean and limiting its exposure to external access. Review application code to ensure that random numbers generated by SecureRandomFactoryBean are not exposed or predictable. While not a direct fix, implementing robust input validation and security monitoring can help detect and respond to potential exploitation attempts.
Actualice la versión de Spring Security a la versión 4.2.12.RELEASE, 5.0.12.RELEASE o 5.1.5.RELEASE, o superior, según corresponda a su proyecto. Esto corrige la vulnerabilidad de aleatoriedad insegura al usar SecureRandom.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-3795 is a vulnerability in Spring Security affecting versions ≤5.1.4.RELEASE where an attacker can predict random numbers if a seed is provided and the random material is exposed, potentially compromising security-sensitive operations.
You are affected if you are using Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, or 5.1.x prior to 5.1.5.
Upgrade to Spring Security version 5.1.4.RELEASE or later. Ensure seeds are truly random and avoid exposing random material.
There is no indication of active exploitation campaigns targeting this vulnerability at this time.
Refer to the Spring Security security advisory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3795
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.