Dictionary attack with Spring Security queryable text encryptor
CVE-2020-5408

6.5MEDIUM

Key Information:

Vendor
Spring By Vmware
Status
Spring Security
Vendor
CVE Published:
14 May 2020

Summary

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Affected Version(s)

Spring Security 4.2 < 4.2.16

Spring Security 5.0 < 5.0.16

Spring Security 5.1 < 5.1.10

References

https://www.oracle.com/security-alerts/cpuoct2020.html
x_refsource_MISC
https://tanzu.vmware.com/security/cve-2020-5408
x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpujan2021.html
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.