CVE-2020-5408

CWE-329 CWE-3307 documents5 sources

Severity

6.5MEDIUM

EPSS

0.5%

top 35.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring BY Vmware Spring Security Pivotal Software Spring Security Vmware Spring Security

Timeline

PublishedMay 14

Latest updateApr 15

Description

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDvmware/spring_security4.2.0 — 4.2.16+2

▶CVEListV5spring_by_vmware/spring_security4.2 — 4.2.16+4

▶NVDpivotal_software/spring_security5.2.0 — 5.2.4+1

▶Mavenorg.springframework.security:spring-security-core5.3.0 — 5.3.2+4

🔴Vulnerability Details

GHSA

Insufficient Entropy in Spring Security↗2020-06-15

▶

OSV

Insufficient Entropy in Spring Security↗2020-06-15

▶

CVEList

Dictionary attack with Spring Security queryable text encryptor↗2020-05-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Order Management (Spring Security) — CVE-2020-5408↗2021-04-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Core (Spring Security) — CVE-2020-5408↗2021-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Core (Spring Security) — CVE-2020-5408↗2020-10-15

▶