CVE-2020-5408 @ Maven-org.springframework.security:spring-security-core-3.2.4.RELEASE #61
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Vulnerable Package issue exists @ Maven-org.springframework.security:spring-security-core-3.2.4.RELEASE in branch main
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and before 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Namespace: DganiRotem
Repository: ast-advanced-lab
Repository Url: https://github.com/DganiRotem/ast-advanced-lab
CxAST-Project: DganiRotem/ast-advanced-lab
CxAST platform scan: 552bdd0d-4eb2-4442-8bb5-bae118cf6ed5
Branch: main
Application: ast-advanced-lab
Severity: MEDIUM
State: NOT_IGNORED
Status: RECURRENT
CWE: CWE-330
Addition Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: NONE
Remediation Upgrade Recommendation: 4.2.16.RELEASE
References
Advisory
Issue
Pull request
Commit
The text was updated successfully, but these errors were encountered: