CVE-2020-5408
Description
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Risk Information
Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.468
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2020-5408,CVE-2020-5407 are fixed in Spring-security-core 5.3.2 | Windows |
| Vulnerabilities CVE-2020-5408,CVE-2020-5407 are fixed in Spring-security-core 5.2.4 | Windows |
| Vulnerabilities CVE-2020-5408 are fixed in Spring-security-core 5.1.10 | Windows |
| Vulnerabilities CVE-2020-5408 are fixed in Spring-security-core 5.0.16 | Windows |
| Vulnerabilities CVE-2020-5408 are fixed in Spring-security-core 4.2.16 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.5 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.4 | Windows |
| Vulnerabilities CVE-2020-5408,CVE-2020-5407 are fixed in Spring-security-core for Linux 5.3.2 | Linux |
| Vulnerabilities CVE-2020-5408,CVE-2020-5407 are fixed in Spring-security-core for Linux 5.2.4 | Linux |
| Vulnerabilities CVE-2020-5408 are fixed in Spring-security-core for Linux 5.1.10 | Linux |
| Vulnerabilities CVE-2020-5408 are fixed in Spring-security-core for Linux 5.0.16 | Linux |
| Vulnerabilities CVE-2020-5408 are fixed in Spring-security-core for Linux 4.2.16 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234