| Vulnerable Component Details | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Type | Namespace | Name | Version | Package URL | |||||||||
| maven | org.springframework.security | spring-security-crypto | 5.4.8 | pkg:maven/org.springframework.security/spring-security-crypto@5.4.8?type=jar | |||||||||
| Vulnerability Details | |||||||||||||
| ID | CVE-2020-5408 | ||||||||||||
| Description | Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack. | ||||||||||||
| Ratings |
|
||||||||||||
| Found By | Sonotype OSS-Index | ||||||||||||
| References / Advisories | |||||||||||||
| Weakness Enumeration | |||||||||||||