CVE-2020-5408
MEDIUMSpring Security <5.3.2, 5.2.x <5.2.4, 5.1.x <5.1.10, 5.0.x <5.0.16,...
Title source: llmDescription
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://tanzu.vmware.com/security/cve-2020-5408
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Scores
CVSS v3
6.5
EPSS
0.0184
EPSS Percentile
76.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-330
CWE-329
Status
published
Products (3)
org.springframework.security/spring-security-core
5.3.0 - 5.3.2Maven
pivotal_software/spring_security
5.2.0 - 5.2.4
vmware/spring_security
4.2.0 - 4.2.16
Published
May 14, 2020
Tracked Since
Feb 18, 2026