Moderate severityNVD Advisory· Published May 14, 2020· Updated Sep 17, 2024
Dictionary attack with Spring Security queryable text encryptor
CVE-2020-5408
Description
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | >= 5.3.0, < 5.3.2 | 5.3.2 |
org.springframework.security:spring-security-coreMaven | >= 5.2.0, < 5.2.4 | 5.2.4 |
org.springframework.security:spring-security-coreMaven | >= 5.1.0, < 5.1.10 | 5.1.10 |
org.springframework.security:spring-security-coreMaven | >= 5.0.0, < 5.0.16 | 5.0.16 |
org.springframework.security:spring-security-coreMaven | < 4.2.16 | 4.2.16 |
Affected products
1- Range: 4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-2ppp-9496-p23qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5408ghsaADVISORY
- tanzu.vmware.com/security/cve-2020-5408ghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.