CVE-2020-5408

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-5408

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-5408.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-5408

Aliases

GHSA-2ppp-9496-p23q

Published

2020-05-14T18:15:12.250Z

Modified

2026-04-12T00:01:54.594559Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

References

Affected packages

Git / github.com/spring-projects/spring-security

Affected ranges

Type

GIT

Repo

https://github.com/spring-projects/spring-security

Events

Introduced

b7d97ca077ef92a2eb750b56f7b2415e1e02ea01

Fixed

b7212bd97510840b116c8a1ddf180cab7509d90c

Introduced

747d8817cbadc307f7407c26fc88b2ff63c37149

Fixed

532e546355ee1adb22a6ec3ee05d04cc698d2b06

Introduced

24fcb6c45a55333e5b856b6c73f14b68ceca0e19

Fixed

7b61962915e3c452fe34230c5c5c354bd44bad3d

Introduced

62e7762e8f3f2f810b01f2c23f211de627331aa8

Fixed

ef78626045724492cf88b086873cc71d224483e7

Introduced

c073705d555d94bd271dabb16990d87a33a8284c

Fixed

16c350a7bcaec7218d96d42c743d748a243478f4

Database specific

{
    "cpe": [
        "cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*"
    ],
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "5.2.0"
        },
        {
            "fixed": "5.2.4"
        },
        {
            "introduced": "5.3.0"
        },
        {
            "fixed": "5.3.2"
        },
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.16"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.16"
        },
        {
            "introduced": "5.1.0"
        },
        {
            "fixed": "5.1.10"
        }
    ]
}

Affected versions

4.*

4.2.0.RELEASE

4.2.1.RELEASE

4.2.10.RELEASE

4.2.11.RELEASE

4.2.12.RELEASE

4.2.13.RELEASE

4.2.14.RELEASE

4.2.15.RELEASE

4.2.2.RELEASE

4.2.3.RELEASE

4.2.4.RELEASE

4.2.5.RELEASE

4.2.6.RELEASE

4.2.7.RELEASE

4.2.9.RELEASE

5.*

5.0.0.RELEASE

5.0.1.RELEASE

5.0.10.RELEASE

5.0.11.RELEASE

5.0.12.RELEASE

5.0.13.RELEASE

5.0.14.RELEASE

5.0.15.RELEASE

5.0.2.RELEASE

5.0.3.RELEASE

5.0.4.RELEASE

5.0.5.RELEASE

5.0.6.RELEASE

5.0.7.RELEASE

5.0.8.RELEASE

5.0.9.RELEASE

5.1.0.RELEASE

5.1.1.RELEASE

5.1.2.RELEASE

5.1.3.RELEASE

5.1.4.RELEASE

5.1.5.RELEASE

5.1.6.RELEASE

5.1.7.RELEASE

5.1.8.RELEASE

5.1.9.RELEASE

5.2.0.RELEASE

5.2.2.RELEASE

5.2.3.RELEASE

5.3.0.RELEASE

5.3.1.RELEASE

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-5408.json"