CVE-2020-5408 – org.springframework.security:spring-security-core

Package

Manager: maven
Name: org.springframework.security:spring-security-core
Vulnerable Version: >=5.3.0 <5.3.2 || >=5.2.0 <5.2.4 || >=5.1.0 <5.1.10 || >=5.0.0 <5.0.16 || >=0 <4.2.16

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00468 pctl0.63557

Details

Insufficient Entropy in Spring Security Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Metadata

Created: 2020-06-15T19:34:31Z
Modified: 2021-06-09T20:15:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-2ppp-9496-p23q/GHSA-2ppp-9496-p23q.json
CWE IDs: ["CWE-329", "CWE-330"]
Alternative ID: GHSA-2ppp-9496-p23q
Finding: F034
Auto approve: 1