GHSA-gr7h-xw4f-wh86: Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

October 22, 2025

EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or at‑rest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data.

References

github.com/advisories/GHSA-gr7h-xw4f-wh86
github.com/sakaiproject/sakai
github.com/sakaiproject/sakai/security/advisories/GHSA-gr7h-xw4f-wh86

Code Behaviors & Features

Detect and mitigate GHSA-gr7h-xw4f-wh86 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →