Platform
java
Component
spring-security
Fixed in
4.2.12.RELEASE
5.0.12.RELEASE
5.1.5.RELEASE
CVE-2019-3795 describes an insecure randomness vulnerability found in Spring Security. This vulnerability allows an attacker to potentially predict random numbers generated by the application if a seed is provided and the resulting random material is exposed. The vulnerability impacts Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5. A fix is available in version 5.1.4.RELEASE.
The core of this vulnerability lies in the SecureRandomFactoryBean component of Spring Security. If an application uses this factory and provides a seed value, and subsequently exposes the resulting random data, an attacker can analyze this data to predict future random numbers. This predictability can be exploited to compromise security-sensitive operations that rely on randomness, such as generating session IDs, cryptographic keys, or nonces. While the CVSS score is LOW, the potential impact on applications heavily reliant on secure randomness could be significant, particularly if the seed is predictable or derived from easily obtainable information. The vulnerability doesn't allow direct code execution but weakens the overall security posture by undermining the foundation of cryptographic operations.
CVE-2019-3795 was publicly disclosed on April 9, 2019. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept (PoC) exploits have been widely reported. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively limited attack surface and the requirement for specific conditions to be met for exploitation.
Exploit Status
EPSS
0.55% (68% percentile)
CVSS Vector
The primary mitigation for CVE-2019-3795 is to upgrade to Spring Security version 5.1.4.RELEASE or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Ensure that the seed provided to SecureRandomFactoryBean is truly random and not derived from predictable sources. Avoid exposing the random material generated by SecureRandomFactoryBean to external entities. Review application code to identify any instances where SecureRandomFactoryBean is used and assess the potential impact of the vulnerability. While not a direct fix, strengthening seed generation practices can reduce the likelihood of exploitation.
Update the version of Spring Security to version 4.2.12.RELEASE, 5.0.12.RELEASE or 5.1.5.RELEASE, or higher, as appropriate for your project. This corrects the insecure randomness vulnerability when using SecureRandom.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-3795 is a vulnerability in Spring Security affecting versions ≤5.1.4.RELEASE where an attacker can predict random numbers if a seed is provided and the random material is exposed, potentially compromising security-sensitive operations.
You are affected if you are using Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, or 5.1.x prior to 5.1.5.
Upgrade to Spring Security version 5.1.4.RELEASE or later. Ensure seeds are truly random and avoid exposing random material.
There is no indication of active exploitation campaigns targeting this vulnerability at this time.
Refer to the Spring Security security advisory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3795
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.