{"containers":{"cna":{"affected":[{"product":"Spring Security","vendor":"Spring by VMware","versions":[{"lessThan":"4.2.16","status":"affected","version":"4.2","versionType":"custom"},{"lessThan":"5.0.16","status":"affected","version":"5.0","versionType":"custom"},{"lessThan":"5.1.10","status":"affected","version":"5.1","versionType":"custom"},{"lessThan":"5.2.4","status":"affected","version":"5.2","versionType":"custom"},{"lessThan":"5.3.2","status":"affected","version":"5.3","versionType":"custom"}]}],"datePublic":"2020-05-13T00:00:00.000Z","descriptions":[{"lang":"en","value":"Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-329","description":"CWE-329: Not Using a Random IV with CBC Mode","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2021-06-14T17:20:23.000Z","orgId":"862b2186-222f-48b9-af87-f1fb7bb26d03","shortName":"pivotal"},"references":[{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://tanzu.vmware.com/security/cve-2020-5408"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"}],"source":{"discovery":"UNKNOWN"},"title":"Dictionary attack with Spring Security queryable text encryptor","x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@pivotal.io","DATE_PUBLIC":"2020-05-13T00:00:00.000Z","ID":"CVE-2020-5408","STATE":"PUBLIC","TITLE":"Dictionary attack with Spring Security queryable text encryptor"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Spring Security","version":{"version_data":[{"affected":"<","version_affected":"<","version_name":"4.2","version_value":"4.2.16"},{"affected":"<","version_affected":"<","version_name":"5.0","version_value":"5.0.16"},{"affected":"<","version_affected":"<","version_name":"5.1","version_value":"5.1.10"},{"affected":"<","version_affected":"<","version_name":"5.2","version_value":"5.2.4"},{"affected":"<","version_affected":"<","version_name":"5.3","version_value":"5.3.2"}]}}]},"vendor_name":"Spring by VMware"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack."}]},"impact":null,"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-329: Not Using a Random IV with CBC Mode"}]}]},"references":{"reference_data":[{"name":"https://www.oracle.com/security-alerts/cpuoct2020.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"name":"https://tanzu.vmware.com/security/cve-2020-5408","refsource":"CONFIRM","url":"https://tanzu.vmware.com/security/cve-2020-5408"},{"name":"https://www.oracle.com/security-alerts/cpujan2021.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"name":"https://www.oracle.com/security-alerts/cpuApr2021.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"}]},"source":{"discovery":"UNKNOWN"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T08:30:23.986Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://tanzu.vmware.com/security/cve-2020-5408"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"}]}]},"cveMetadata":{"assignerOrgId":"862b2186-222f-48b9-af87-f1fb7bb26d03","assignerShortName":"pivotal","cveId":"CVE-2020-5408","datePublished":"2020-05-14T17:15:13.256Z","dateReserved":"2020-01-03T00:00:00.000Z","dateUpdated":"2024-09-17T01:01:47.960Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}