Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-3p1k-4ges-1fev

Summary

Insufficient Entropy in PRNG
Spring Security contain an insecure randomness vulnerability when using `SecureRandomFactoryBean#setSeed` to configure a `SecureRandom` instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Aliases

alias	CVE-2019-3795

Fixed_packages

url pkg:maven/org.springframework/spring-core@4.3.0.RELEASE

purl pkg:maven/org.springframework/spring-core@4.3.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-46dm-5t83-tyh6

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@4.3.0.RELEASE

url	pkg:maven/org.springframework/spring-core@5.0.13.RELEASE
purl	pkg:maven/org.springframework/spring-core@5.0.13.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@5.0.13.RELEASE

url	pkg:maven/org.springframework/spring-core@5.1.6.RELEASE
purl	pkg:maven/org.springframework/spring-core@5.1.6.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@5.1.6.RELEASE

url pkg:maven/org.springframework.security/spring-security-cas@4.2.12.RELEASE

purl pkg:maven/org.springframework.security/spring-security-cas@4.2.12.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jmf-5kbf-bbe2

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-cas@4.2.12.RELEASE

url	pkg:maven/org.springframework.security/spring-security-cas@5.0.12.RELEASE
purl	pkg:maven/org.springframework.security/spring-security-cas@5.0.12.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-cas@5.0.12.RELEASE

url	pkg:maven/org.springframework.security/spring-security-cas@5.1.5.RELEASE
purl	pkg:maven/org.springframework.security/spring-security-cas@5.1.5.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-cas@5.1.5.RELEASE

url	pkg:maven/org.springframework.security/spring-security-core@4.2.13.RELEASE
purl	pkg:maven/org.springframework.security/spring-security-core@4.2.13.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.13.RELEASE

url	pkg:maven/org.springframework.security/spring-security-core@5.0.13.RELEASE
purl	pkg:maven/org.springframework.security/spring-security-core@5.0.13.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.0.13.RELEASE

url	pkg:maven/org.springframework.security/spring-security-core@5.1.6.RELEASE
purl	pkg:maven/org.springframework.security/spring-security-core@5.1.6.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.1.6.RELEASE

Affected_packages

url pkg:maven/org.springframework/spring-core@4.2.0

purl pkg:maven/org.springframework/spring-core@4.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jmf-5kbf-bbe2

vulnerability	VCID-3p1k-4ges-1fev

vulnerability	VCID-vgyx-gshk-tbcx

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@4.2.0

url pkg:maven/org.springframework/spring-core@5.0.0

purl pkg:maven/org.springframework/spring-core@5.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2327-21sr-mfgx

vulnerability	VCID-3p1k-4ges-1fev

vulnerability	VCID-72ga-q9u7-sfav

vulnerability	VCID-fra1-reqm-kfdb

vulnerability	VCID-h4kj-zdr8-wbdr

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@5.0.0

url pkg:maven/org.springframework/spring-core@5.1.0

purl pkg:maven/org.springframework/spring-core@5.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3p1k-4ges-1fev

vulnerability	VCID-fra1-reqm-kfdb

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@5.1.0

url pkg:maven/org.springframework.security/spring-security-cas@4.2.0.RELEASE

purl pkg:maven/org.springframework.security/spring-security-cas@4.2.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jmf-5kbf-bbe2

vulnerability	VCID-3p1k-4ges-1fev

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-cas@4.2.0.RELEASE

url pkg:maven/org.springframework.security/spring-security-cas@5.0.0.RELEASE

purl pkg:maven/org.springframework.security/spring-security-cas@5.0.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3p1k-4ges-1fev

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-cas@5.0.0.RELEASE

url pkg:maven/org.springframework.security/spring-security-cas@5.1.0.RELEASE

purl pkg:maven/org.springframework.security/spring-security-cas@5.1.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3p1k-4ges-1fev

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-cas@5.1.0.RELEASE

url pkg:maven/org.springframework.security/spring-security-core@4.2.0.RELEASE

purl pkg:maven/org.springframework.security/spring-security-core@4.2.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jmf-5kbf-bbe2

vulnerability	VCID-3p1k-4ges-1fev

vulnerability	VCID-aygn-9njz-ybfh

vulnerability	VCID-h4kj-zdr8-wbdr

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.0.RELEASE

url pkg:maven/org.springframework.security/spring-security-core@5.0.0.RELEASE

purl pkg:maven/org.springframework.security/spring-security-core@5.0.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3p1k-4ges-1fev

vulnerability	VCID-h4kj-zdr8-wbdr

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.0.0.RELEASE

url pkg:maven/org.springframework.security/spring-security-core@5.1.0.RELEASE

purl pkg:maven/org.springframework.security/spring-security-core@5.1.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3p1k-4ges-1fev

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.1.0.RELEASE

References

reference_url	http://www.securityfocus.com/bid/107802
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/107802

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2019-3795
reference_id	CVE-2019-3795
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2019-3795

reference_url	https://pivotal.io/security/cve-2019-3795
reference_id	CVE-2019-3795
reference_type
scores
url	https://pivotal.io/security/cve-2019-3795

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	332
name	Insufficient Entropy in PRNG
description	The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3p1k-4ges-1fev

Vulnerability Instance