Description

Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or at‑rest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.

INFO

Published Date :

2025-10-22T22:19:21.106Z

Last Modified :

2025-10-24T18:28:07.317Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62710 vulnerability.

Vendors Products
Sakailms
  • Sakai
Sakaiproject
  • Sakai
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62710.

URL Resource
https://github.com/sakaiproject/sakai/commit/bde070104b1de01f4a6458dca6d9e0880a0e3c04 cve-icon cve-icon
https://github.com/sakaiproject/sakai/security/advisories/GHSA-gr7h-xw4f-wh86 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact