CVE-2020-5408

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.3.x prior to 5.3.2 Spring Security versions 5.2.x prior to 5.2.4 Spring Security versions 5.1.x prior to 5.1.10 Spring Security versions 5.0.x prior to 5.0.16 Spring Security versions 4.2.x prior to 4.2.16

Description The issue is related to the use of a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. This may allow a malicious user with access to the encrypted data to derive the unencrypted values using a dictionary attack. The vulnerability can be exploited by a remote attacker to gain unauthorized access to protected information.

Recommendations For Spring Security versions 5.3.x prior to 5.3.2, update to version 5.3.2 or later. For Spring Security versions 5.2.x prior to 5.2.4, update to version 5.2.4 or later. For Spring Security versions 5.1.x prior to 5.1.10, update to version 5.1.10 or later. For Spring Security versions 5.0.x prior to 5.0.16, update to version 5.0.16 or later. For Spring Security versions 4.2.x prior to 4.2.16, update to version 4.2.16 or later.