ghsa-2ppp-9496-p23q
Vulnerability from github
Published
2020-06-15 19:34
Modified
2021-06-09 20:15
Severity
Summary
Insufficient Entropy in Spring Security
Details
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-core" }, "ranges": [ { "events": [ { "introduced": "5.3.0" }, { "fixed": "5.3.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-core" }, "ranges": [ { "events": [ { "introduced": "5.2.0" }, { "fixed": "5.2.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-core" }, "ranges": [ { "events": [ { "introduced": "5.1.0" }, { "fixed": "5.1.10" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-core" }, "ranges": [ { "events": [ { "introduced": "5.0.0" }, { "fixed": "5.0.16" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-core" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "4.2.16" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-5408" ], "database_specific": { "cwe_ids": [ "CWE-329", "CWE-330" ], "github_reviewed": true, "github_reviewed_at": "2020-06-11T20:44:52Z", "nvd_published_at": "2020-05-14T18:15:00Z", "severity": "MODERATE" }, "details": "Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.", "id": "GHSA-2ppp-9496-p23q", "modified": "2021-06-09T20:15:25Z", "published": "2020-06-15T19:34:31Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5408" }, { "type": "WEB", "url": "https://tanzu.vmware.com/security/cve-2020-5408" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Insufficient Entropy in Spring Security" }
Loading...