6.5
CVE-2020-5408
- EPSS 0.41%
- Veröffentlicht 14.05.2020 18:15:12
- Zuletzt bearbeitet 21.11.2024 05:34:06
- Quelle security@pivotal.io
- CVE-Watchlists
- Unerledigt
LoginDictionary attack with Spring Security queryable text encryptor
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pivotal Software ≫ Spring Security Version >= 5.2.0 < 5.2.4
Pivotal Software ≫ Spring Security Version >= 5.3.0 < 5.3.2
VMware ≫ Spring Security Version >= 4.2.0 < 4.2.16
VMware ≫ Spring Security Version >= 5.0.0 < 5.0.16
VMware ≫ Spring Security Version >= 5.1.0 < 5.1.10
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.41% | 0.614 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
CWE-329 Generation of Predictable IV with CBC Mode
The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.
CWE-330 Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.