CVE-2020-5408

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Published: May 14, 2020
Updated: May 9, 2024
CVE: CVE-2020-5408
GHSA: GHSA-2ppp-9496-p23q
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
pivotal_software / spring_security	5.3.0	5.3.2
pivotal_software / spring_security	5.2.0	5.2.4
vmware / spring_security	4.2.0	4.2.16
vmware / spring_security	5.0.0	5.0.16
vmware / spring_security	5.1.0	5.1.10
org.springframework.security / spring-security-core	5.3.0	5.3.2
org.springframework.security / spring-security-core	5.2.0	5.2.4
org.springframework.security / spring-security-core	5.1.0	5.1.10
org.springframework.security / spring-security-core	5.0.0	5.0.16
org.springframework.security / spring-security-core	-	4.2.16

Vulnerability Database

289,599

CVE-2020-5408