CVE-2020-5408 @ Maven-org.springframework.security:spring-security-core-3.2.4.RELEASE #48
Description
Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2020-5408
Checkmarx Project: igorlombacx/astlab2
Repository URL: https://github.com/igorlombacx/astlab2
Branch: main
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
Scan ID: 8caf1d69-ab69-4064-888d-abb555c4ebdc
Spring Security, modules "spring-security-core" and "spring-security-crypto", versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and before 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: NONE
Remediation Upgrade Recommendation: 4.0.0.M2