2.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-gr7h-xw4f-wh86

EPSS Score

CWE

CWE-337

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-gr7h-xw4f-wh86

GHSA-gr7h-xw4f-wh86: Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

Impact

EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or at‑rest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data.

Patches

SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.

Credits

Reported by Suraj Gangwar.
Patched by Sam Ottenhoff (Longsight).

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-gr7h-xw4f-wh86

GHSA-gr7h-xw4f-wh86:

2.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-gr7h-xw4f-wh86

EPSS Score

CWE

CWE-337

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.sakaiproject.kernel:sakai-kernel-impl	maven	<= 23.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GHSA-gr7h-xw4f-wh86, stems from the use of a predictable Pseudo-Random Number Generator (PRNG) for security-sensitive operations. The analysis of the provided patch commit bde070104b1de01f4a6458dca6d9e0880a0e3c04 confirms this.

The root cause is the usage of org.apache.commons.lang3.RandomStringUtils without providing a cryptographically secure random number generator. By default, this utility uses java.util.Random, which is not suitable for cryptographic purposes as its output can be predicted if an attacker can gather some initial state information.

Two primary vulnerable functions were identified from the patch:

org.sakaiproject.util.impl.EncryptionUtilityServiceImpl.init(): This function is responsible for initializing a server-wide secret key (serverSecretKey) used for encrypting data at rest. The patch explicitly replaces the default RandomStringUtils.random call with one that uses java.security.SecureRandom, a cryptographically strong PRNG. This indicates that the original implementation was vulnerable to key prediction.
org.sakaiproject.component.app.scheduler.jobs.cm.processor.sis.UserProcessor.generatePassword(): This function generates passwords for users, likely during an automated user provisioning process from a Student Information System (SIS). Similar to the first function, it was using a weak version of RandomStringUtils. The patch corrects this by incorporating SecureRandom, mitigating the risk of generating predictable passwords.

An attacker exploiting this vulnerability could potentially decrypt sensitive data or gain unauthorized access to user accounts by predicting the generated keys or passwords. The fix applied in the patch correctly addresses the root cause by replacing the weak PRNG with a secure one for all identified instances.

Vulnerable functions

org.sakaiproject.util.impl.EncryptionUtilityServiceImpl.init

kernel/kernel-impl/src/main/java/org/sakaiproject/util/impl/EncryptionUtilityServiceImpl.java

The `init` method in `EncryptionUtilityServiceImpl` used `RandomStringUtils.random` which defaults to the non-cryptographic `java.util.Random` to generate the `serverSecretKey`. This key is used as the password for an `AES256TextEncryptor`. An attacker who can obtain ciphertexts and approximate the PRNG seed can potentially reconstruct the key and decrypt data.

org.sakaiproject.component.app.scheduler.jobs.cm.processor.sis.UserProcessor.generatePassword

jobscheduler/scheduler-component-shared/src/java/org/sakaiproject/component/app/scheduler/jobs/cm/processor/sis/UserProcessor.java

The `generatePassword` method in `UserProcessor` used `RandomStringUtils.randomAlphanumeric` which defaults to the non-cryptographic `java.util.Random`. This could lead to predictable passwords being generated for users created through the SIS (Student Information System) integration.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.6

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-gr7h-xw4f-wh86: Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

Impact

Patches

Credits

GHSA-gr7h-xw4f-wh86:

2.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-gr7h-xw4f-wh86: Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

Impact

Patches

Credits

Technical Details

2.6

2.6

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI