Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2020-5408

Information Exposure
Affects
Spring Security
<4.2.16, >=5.0.0 <5.0.16, >=5.1.0 <5.1.10, >=5.2.0 <5.2.4, >=5.3.0 <5.3.2
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview 

Spring Security is a powerful framework for securing Java-based web applications. It provides authentication, authorization, and protection against common security vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (CSRF), and session fixation attacks.

A cryptographic weakness vulnerability (CVE-2020-5408) has been identified in spring-security-crypto from Spring Security, which allows attackers to derive the unencrypted values using a dictionary attack.

A dictionary attack is a type of brute force attack that uses a precomputed list of potential values, such as words or phrases, to attempt to uncover unencrypted data.

This issue affects multiple versions of spring-security-crypto from Spring Security.

Details

Module Info

Vulnerability Information

CVE-2020-5408 is a vulnerability in Spring Security versions from 4.2.0 through 5.3.1 that uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryption. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

The vulnerability is classified under CWE-329. Generation of predictable initialization vector (IV) with Cipher Block Chain (CBC) Mode. This causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. Attackers can infer original plaintext values based on predictable ciphertext patterns.

Credits

Mitigation

Spring Security 4.2.x is no longer community-supported. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20883
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2020-5408
PROJECT Affected
Spring Security
Versions Affected
<4.2.16, >=5.0.0 <5.0.16, >=5.1.0 <5.1.10, >=5.2.0 <5.2.4, >=5.3.0 <5.3.2
Published date
May 7, 2020
≈ Fix date
May 7, 2020
Fixed in
NES for Spring
Severity
Medium
Category
Information Exposure