Sakai is a Collaboration and Learning Environment used by some organizations for employee management. This vulnerability allows attackers to decrypt sensitive data stored in the system using an AES256TextEncryptor password generated by a non-cryptographic PRNG (RandomStringUtils). If your organization uses Sakai, you're at risk of having your encrypted data compromised.
You're affected if you use Sakai versions prior to 23.5 and 25.0. To check if you're affected, run the following command: maven org.sakaiproject.kernel:sakai-kernel-impl:find
Note that this vulnerability is specific to Sakai 2.x and not related to other Sakai products or versions.
To fix this vulnerability, upgrade to Sakai 23.5, 25.0, or later. You can download the patch from the Sakai GitHub repository: https://github.com/sakaiproject/sakai/commit/bde070104b1de01f4a6458dca6d9e0880a0e3c04
Immediate mitigations: