Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2019-3795

Information Exposure
Affects
Spring Security
<4.2.12, >=5.0.0 <5.0.12, >=5.1.0 <5.1.5
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Spring Security is a powerful and highly customizable authentication and access-control framework for Java applications. It provides a range of security features that make it easier to secure enterprise applications.

A Insecure randomness vulnerability (CVE-2019-3795) has been found in some versions of spring-security-core from Spring Security. If an application is configured to use a set value for SecureRandomFactoryBean#setSeed, it weakens the security of any encrypted information.

Per OWASP: Insecure Randomness is defined as the use of predictable or non-cryptographically secure random number generators in security-sensitive contexts. This occurs when functions that produce deterministic and easily reproducible outputs, such as statistical PRNGs, are used instead of cryptographic PRNGs. Such randomness is insufficient for tasks where unpredictability is crucial, as attackers can exploit the predictable outputs to compromise security by guessing values used for sensitive operations like tokens, keys, or session identifiers.

This issue affects multiple versions of spring-security-core from Spring Security.

Details

Module Info

Vulnerability Info

This CVE involves a feature called SecureRandomFactoryBean that creates random numbers. If someone sets it up using a “predictable seed” (a starting value that is not truly random), attackers might guess the “random” numbers. These numbers might then be used for important things like security tokens or cryptographic keys, and guessing them can put your system at risk.

Random numbers are important for keeping your application safe. If attackers can predict them, they can break into your system more easily. This might let them view private information, take over user accounts, or do other harmful actions.

Credits

  • This vulnerability was publicly disclosed by Pivotal Software, Inc.

Mitigation

Spring Security 4.2.x is no longer community-supported. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20883
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2019-3795
PROJECT Affected
Spring Security
Versions Affected
<4.2.12, >=5.0.0 <5.0.12, >=5.1.0 <5.1.5
Published date
April 19, 2019
≈ Fix date
April 19, 2019
Fixed in
NES for Spring
Severity
Low
Category
Information Exposure