CVE-2019-3795

Опубликовано: 02 апр. 2019

Источник: redhat

CVSS3: 3.3

EPSS Низкий

Описание

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Отчет

Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Fuse 7	spring-security-core	Fix deferred
Red Hat JBoss Fuse 6	spring-security-core	Out of support scope
Red Hat OpenStack Platform 10 (Newton)	opendaylight	Will not fix
Red Hat OpenStack Platform 13 (Queens)	opendaylight	Not affected
Red Hat OpenStack Platform 14 (Rocky)	opendaylight	Not affected
Red Hat OpenStack Platform 8 (Liberty)	opendaylight	Not affected
Red Hat OpenStack Platform 9 (Mitaka)	opendaylight	Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-330

https://bugzilla.redhat.com/show_bug.cgi?id=1696616spring-security-core: Insecure randomness when using a secureRandom instance constructed by Spring Security

EPSS

Процентиль: 83%

0.01924

Низкий

3.3 Low

CVSS3

Связанные уязвимости

CVE-2019-3795

CVSS3: 5.3

ubuntu

почти 7 лет назад

CVE-2019-3795

CVSS3: 5.3

nvd

почти 7 лет назад

CVE-2019-3795

CVSS3: 5.3

debian

почти 7 лет назад

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, ...

GHSA-v2r2-7qm7-jj6v

CVSS3: 5.3

github

почти 7 лет назад

Spring Security uses insufficiently random values

EPSS

Процентиль: 83%

0.01924

Низкий

3.3 Low

CVSS3