Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NPivotal Software Spring Security
APPPivotal Software5.2.0 – 5.2.4 (bez)5.3.0 – 5.3.2 (bez)VMware Spring Security
APPVmware4.2.0 – 4.2.16 (bez)5.0.0 – 5.0.16 (bez)5.1.0 – 5.1.10 (bez)
Related vulnerabilities
VMware Spring Security — brak zapisu nagłówków HTTP odpowiedzi
Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching b...
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rule...
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatc...
When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could...