Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Affected Packages

Maven org.springframework.security:spring-security-core

Affected versions: 4.2.0 (fixed in 4.2.12)

Maven org.springframework.security:spring-security-core

Affected versions: 5.0.0 (fixed in 5.0.12)

Maven org.springframework.security:spring-security-core

Affected versions: 5.1.0 (fixed in 5.1.5)

Related CVEs

CVE-2019-3795

Key Information

GHSA ID

GHSA-v2r2-7qm7-jj6v

Published

April 16, 2019 3:10 PM

Last Modified

November 17, 2022 7:45 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework.security:spring-security-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 20, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.