CVE-2019-3795 - OpenCVE

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Physical

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Vmware	Spring Security
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:a:vmware:spring_security::::::::
	cpe:2.3:a:vmware:spring_security::::::::
	cpe:2.3:a:vmware:spring_security::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/107802	Third Party Advisory VDB Entry
https://lists.debian.org/debian-lts-announce/2019/05/msg00026.html	Mailing List Third Party Advisory
https://pivotal.io/security/cve-2019-3795	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2019-04-04T00:00:00

Updated: 2019-05-20T05:06:01

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3795

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-04-09T16:29:01.837

Modified: 2021-11-02T20:18:39.243

Link: CVE-2019-3795

JSON object: View

Redhat Information

No data.

CWE

CWE-330

{"containers": {"cna": {"affected": [{"product": "Spring Security", "vendor": "Spring", "versions": [{"lessThan": "5.0.11.RELEASE", "status": "affected", "version": "5.0", "versionType": "custom"}, {"lessThan": "5.1.4.RELEASE", "status": "affected", "version": "5.1", "versionType": "custom"}, {"lessThan": "4.2.11.RELEASE", "status": "affected", "version": "4.2", "versionType": "custom"}]}], "datePublic": "2019-04-04T00:00:00", "descriptions": [{"lang": "en", "value": "Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "description": "CWE-330: Use of Insufficiently Random Values", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-05-20T05:06:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2019-3795"}, {"name": "107802", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/107802"}, {"name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1794-1] libspring-security-2.0-java security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00026.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2019-04-04T18:01:40.000Z", "ID": "CVE-2019-3795", "STATE": "PUBLIC", "TITLE": "Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring Security", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "5.0", "version_value": "5.0.11.RELEASE"}, {"affected": "<", "version_affected": "<", "version_name": "5.1", "version_value": "5.1.4.RELEASE"}, {"affected": "<", "version_affected": "<", "version_name": "4.2", "version_value": "4.2.11.RELEASE"}]}}]}, "vendor_name": "Spring"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-330: Use of Insufficiently Random Values"}]}]}, "references": {"reference_data": [{"name": "https://pivotal.io/security/cve-2019-3795", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2019-3795"}, {"name": "107802", "refsource": "BID", "url": "http://www.securityfocus.com/bid/107802"}, {"name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1794-1] libspring-security-2.0-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00026.html"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2019-3795", "datePublished": "2019-04-04T00:00:00", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2019-05-20T05:06:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "67B9611B-36FB-4483-9C67-DBF5006EB797", "versionEndExcluding": "4.2.12", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "49A2A2B9-CA3D-40F7-B54E-48A9657CD591", "versionEndExcluding": "5.0.12", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "F35AE135-6BD0-40F4-9980-9A479377C37A", "versionEndExcluding": "5.1.5", "versionStartIncluding": "5.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection."}, {"lang": "es", "value": "Las versiones 4.2.x de Spring Security anteriores a 4.2.12, 5.0.x anteriores a 5.0.12 y 5.1.x anteriores a 5.1.5 contienen una vulnerabilidad de aleatoriedad insegura cuando se utiliza SecureRandomFactoryBean#setSeed para configurar una petici\u00f3n de SecureRandom. Para ser impactado, una aplicaci\u00f3n honesta debe proporcionar una semilla y poner el material aleatorio resultante a disposici\u00f3n de un atacante para su inspecci\u00f3n."}], "id": "CVE-2019-3795", "lastModified": "2021-11-02T20:18:39.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 0.1, "impactScore": 3.6, "source": "security_alert@emc.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-09T16:29:01.837", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107802"}, {"source": "security_alert@emc.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00026.html"}, {"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2019-3795"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-330"}], "source": "security_alert@emc.com", "type": "Secondary"}]}