First published: Thu May 14 2020(Updated: )
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Credit: security@pivotal.io
Affected Software | Affected Version | How to fix |
---|---|---|
Pivotal Software Spring Security | >=5.2.0<5.2.4 | |
Pivotal Software Spring Security | >=5.3.0<5.3.2 | |
Vmware Spring Security | >=4.2.0<4.2.16 | |
Vmware Spring Security | >=5.0.0<5.0.16 | |
Vmware Spring Security | >=5.1.0<5.1.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-5408 is a vulnerability in Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16, and 4.2.x prior to 4.2.16 that allows a malicious user with access to the data to bypass security measures.
CVE-2020-5408 affects Spring Security by using a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor, which can be exploited by a malicious user with access to the data.
The severity of CVE-2020-5408 is medium with a CVSS score of 6.5.
CVE-2020-5408 affects Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16, and 4.2.x prior to 4.2.16.
To fix CVE-2020-5408, upgrade to Spring Security versions 5.3.2, 5.2.4, 5.1.10, 5.0.16, or 4.2.16, which contain the necessary security patches.