Vulnerability

CVE-2020-5408

 Report advisory or correction

CVSS Score 6.5 medium

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-330

References

https://github.com/spring-projects/spring-security/issues/8480
https://spring.io/blog/2020/05/13/cve-reports-published-for-spring-security
https://tanzu.vmware.com/security/cve-2020-5408
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5408

[CVE-2020-5408] CWE-330: Use of Insufficiently Random Values

Description

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See org.springframework.security/spring-security-crypto package information