CVE-2020-5408 in Pivotal Software and VMware Products
Published on May 14, 2020

Dictionary attack with Spring Security queryable text encryptor

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

NVD

Weakness Type

Not Using an Unpredictable IV with CBC Mode

Not using an unpredictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.

Products Associated with CVE-2020-5408

stack.watch emails you whenever new vulnerabilities are published in Pivotal Software Spring Security or VMware Spring Security. Just hit a watch button to start following.

Pivotal Software Spring Security

VMware Spring Security

Affected Versions

Spring by VMware Spring Security:

Version 4.2 and below 4.2.16 is affected.
Version 5.0 and below 5.0.16 is affected.
Version 5.1 and below 5.1.10 is affected.
Version 5.2 and below 5.2.4 is affected.
Version 5.3 and below 5.3.2 is affected.

Exploit Probability

EPSS

0.47%

Percentile

64.19%