Fluid Attacks Database

Description

Insufficient Entropy in Spring Security Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework.security:spring-security-core	>=5.3.0 <5.3.2 \|\| >=5.2.0 <5.2.4 \|\| >=5.1.0 <5.1.10 \|\| >=5.0.0 <5.0.16 \|\| >=0 <4.2.16	5.3.2, 5.2.4, 5.1.10, 5.0.16, 4.2.16

Aliases

1. CVE-2020-54082. NVD-2020-54083. OSV-2020-54084. GCVE-2020-5408

References

1. https://tanzu.vmware.com/security/cve-2020-54082. https://www.oracle.com/security-alerts/cpuApr2021.html3. https://www.oracle.com/security-alerts/cpujan2021.html4. https://www.oracle.com/security-alerts/cpuoct2020.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.