CVE-2020-5408

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*

History

14 Jun 2021, 18:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -

08 Jun 2021, 18:21

Type Values Removed Values Added
CPE cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*

Information

Published : 2020-05-14 18:15

Updated : 2024-02-04 21:00


NVD link : CVE-2020-5408

Mitre link : CVE-2020-5408

CVE.ORG link : CVE-2020-5408


JSON object : View

Products Affected

vmware

  • spring_security

pivotal_software

  • spring_security
CWE
CWE-330

Use of Insufficiently Random Values

CWE-329

Not Using an Unpredictable IV with CBC Mode