CVE-2020-5408 — MEDIUM (6.5)

Q: How severe is CVE-2020-5408?

CVE-2020-5408 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-5408?

Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Spring Security, Vmware Spring Security.

Vulnerability Description

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Pivotal Software	Spring Security	>= 5.2.0, < 5.2.4
Vmware	Spring Security	>= 4.2.0, < 4.2.16

Related Weaknesses (CWE)

CWE-330 CWE-329

References

FAQ

What is CVE-2020-5408?

CVE-2020-5408 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the ...

How severe is CVE-2020-5408?

CVE-2020-5408 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-5408?

Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Spring Security, Vmware Spring Security.