Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl
Vulnerability Description
Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or at‑rest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
PRNG中使用可预测种子
Vulnerability Title
Sakai 安全漏洞
Vulnerability Description
Sakai是Apereo Sakai开源的一个免费提供、功能丰富的技术解决方案,用于学习、教学、研究和协作。 Sakai 23.5之前版本和25.0之前版本存在安全漏洞,该漏洞源于使用非加密伪随机数生成器初始化AES256TextEncryptor密码,可能导致密钥被预测和数据解密。
CVSS Information
N/A
Vulnerability Type
N/A