CVE-2020-5408

CVE-2020-5408: Dictionary attack with Spring Security queryable text encryptor

Vendor Spring By Vmware
Product Spring Security
Weakness CWE-329
Published May 14, 2020
Last update September 17, 2024

CVSS base score

What the vulnerability does

01Description

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Key dates

02Disclosure timeline

May 14, 2020 CVE published
September 17, 2024 Record updated

Related vulnerabilities

04Related CVE