CVE-2020-5408 — Insufficient Entropy in Spring Security

Description

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

How to fix CVE-2020-5408

To remediate CVE-2020-5408, upgrade the affected package to a fixed version below.

—upgrade to 5.3.2 or later

Is CVE-2020-5408 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 5.3.0, < 5.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-5408
WEBtanzu.vmware.com/security/cve-2020-5408
WEBwww.oracle.com/security-alerts/cpuApr2021.html
WEBwww.oracle.com/security-alerts/cpujan2021.html
WEB