CVE-2020-5408
published 2020-05-14CVE-2020-5408: Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null…
medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pivotal_software | spring_security | >= 5.2.0 < 5.2.4 | 5.2.4 |
| pivotal_software | spring_security | >= 5.3.0 < 5.3.2 | 5.3.2 |
| spring_by_vmware | spring_security | >= 4.2 < 4.2.16 | 4.2.16 |
| spring_by_vmware | spring_security | >= 5.0 < 5.0.16 | 5.0.16 |
| spring_by_vmware | spring_security | >= 5.1 < 5.1.10 | 5.1.10 |
| spring_by_vmware | spring_security | >= 5.2 < 5.2.4 | 5.2.4 |
| spring_by_vmware | spring_security | >= 5.3 < 5.3.2 | 5.3.2 |
| vmware | spring_security | >= 4.2.0 < 4.2.16 | 4.2.16 |
| vmware | spring_security | >= 5.0.0 < 5.0.16 | 5.0.16 |
| vmware | spring_security | >= 5.1.0 < 5.1.10 | 5.1.10 |