CVE-2020-5408
Last modified
CVE-2020-5408 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.. EPSS estimates a 1.84% chance of exploitation in the next 30 days.
Description
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Spring Security | >= 5.2.0, < 5.2.4 |
| Pivotal Software | Spring Security | >= 5.3.0, < 5.3.2 |
| Vmware | Spring Security | >= 4.2.0, < 4.2.16 |
| Vmware | Spring Security | >= 5.0.0, < 5.0.16 |
| Vmware | Spring Security | >= 5.1.0, < 5.1.10 |
References
- https://tanzu.vmware.com/security/cve-2020-5408Vendor Advisory
- https://tanzu.vmware.com/security/cve-2020-5408Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-5408?
How severe is CVE-2020-5408?
How do I fix CVE-2020-5408?
Are you affected by CVE-2020-5408?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST