CVE-2020-5408

Summary

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Affected Software

VendorProductVersion RangeStatus
Spring by VMwareSpring Security4.2 < 4.2.16affected
Spring by VMwareSpring Security5.0 < 5.0.16affected
Spring by VMwareSpring Security5.1 < 5.1.10affected
Spring by VMwareSpring Security5.2 < 5.2.4affected
Spring by VMwareSpring Security5.3 < 5.3.2affected

Weaknesses

  • CWE-329: CWE-329: Not Using a Random IV with CBC Mode

ADP Enrichment

CVE Program Container

Additional References

References