CVE-2021-27568

MEDIUM

netplex json-smart-v1/v2 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-27568. PoCs published by arsalanraja987.

AI-analyzed exploit summary This repository demonstrates CVE-2021-27568, an insecure randomness vulnerability in token generation using Java's `Random` class. It includes a vulnerable example (`InsecureTokenGenerator.java`) and a fixed version (`SecureTokenGenerator.java`) using `SecureRandom`.

Description

An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.

Exploits (1)

nomisec WORKING POC

by arsalanraja987 · poc

https://github.com/arsalanraja987/java-insecure-random-cve-2021-27568

View Code ZIP pw:eip

This repository demonstrates CVE-2021-27568, an insecure randomness vulnerability in token generation using Java's `Random` class. It includes a vulnerable example (`InsecureTokenGenerator.java`) and a fixed version (`SecureTokenGenerator.java`) using `SecureRandom`.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Applications using Java's `java.util.Random` for token generation

No auth needed

Prerequisites: Access to an application using insecure random token generation

MITRE ATT&CK

T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/netplex/json-smart-v1/issues/7

Exploit, Third Party Advisory x_refsource_misc

https://github.com/netplex/json-smart-v2/issues/60

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396%40%3Ccommits.druid.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2022.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 5.9

EPSS 0.0070

EPSS Percentile 72.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-754

Status published

Products (14)

json-smart_project/json-smart-v1 < 1.3.2

json-smart_project/json-smart-v2 < 2.3.1

net.minidev/json-smart 0 - 1.3.2Maven

net.minidev/json-smart-mini 0 - 1.3.2Maven

oracle/communications_cloud_native_core_policy 1.14.0

oracle/oss_support_tools < 2.12.42

oracle/peoplesoft_enterprise_peopletools 8.58

oracle/peoplesoft_enterprise_peopletools 8.59

oracle/utilities_framework 4.4.0.0.0

oracle/utilities_framework 4.4.0.2.0

... and 4 more

Published Feb 23, 2021

Tracked Since Feb 18, 2026