{"id":"CVE-2020-5408","details":"Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.","aliases":["GHSA-2ppp-9496-p23q"],"modified":"2026-04-12T00:01:54.594559Z","published":"2020-05-14T18:15:12.250Z","references":[{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"ADVISORY","url":"https://tanzu.vmware.com/security/cve-2020-5408"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-projects/spring-security","events":[{"introduced":"b7d97ca077ef92a2eb750b56f7b2415e1e02ea01"},{"fixed":"b7212bd97510840b116c8a1ddf180cab7509d90c"},{"introduced":"747d8817cbadc307f7407c26fc88b2ff63c37149"},{"fixed":"532e546355ee1adb22a6ec3ee05d04cc698d2b06"},{"introduced":"24fcb6c45a55333e5b856b6c73f14b68ceca0e19"},{"fixed":"7b61962915e3c452fe34230c5c5c354bd44bad3d"},{"introduced":"62e7762e8f3f2f810b01f2c23f211de627331aa8"},{"fixed":"ef78626045724492cf88b086873cc71d224483e7"},{"introduced":"c073705d555d94bd271dabb16990d87a33a8284c"},{"fixed":"16c350a7bcaec7218d96d42c743d748a243478f4"}],"database_specific":{"cpe":["cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"5.2.0"},{"fixed":"5.2.4"},{"introduced":"5.3.0"},{"fixed":"5.3.2"},{"introduced":"4.2.0"},{"fixed":"4.2.16"},{"introduced":"5.0.0"},{"fixed":"5.0.16"},{"introduced":"5.1.0"},{"fixed":"5.1.10"}],"source":"CPE_FIELD"}}],"versions":["4.2.0.RELEASE","4.2.1.RELEASE","4.2.10.RELEASE","4.2.11.RELEASE","4.2.12.RELEASE","4.2.13.RELEASE","4.2.14.RELEASE","4.2.15.RELEASE","4.2.2.RELEASE","4.2.3.RELEASE","4.2.4.RELEASE","4.2.5.RELEASE","4.2.6.RELEASE","4.2.7.RELEASE","4.2.9.RELEASE","5.0.0.RELEASE","5.0.1.RELEASE","5.0.10.RELEASE","5.0.11.RELEASE","5.0.12.RELEASE","5.0.13.RELEASE","5.0.14.RELEASE","5.0.15.RELEASE","5.0.2.RELEASE","5.0.3.RELEASE","5.0.4.RELEASE","5.0.5.RELEASE","5.0.6.RELEASE","5.0.7.RELEASE","5.0.8.RELEASE","5.0.9.RELEASE","5.1.0.RELEASE","5.1.1.RELEASE","5.1.2.RELEASE","5.1.3.RELEASE","5.1.4.RELEASE","5.1.5.RELEASE","5.1.6.RELEASE","5.1.7.RELEASE","5.1.8.RELEASE","5.1.9.RELEASE","5.2.0.RELEASE","5.2.2.RELEASE","5.2.3.RELEASE","5.3.0.RELEASE","5.3.1.RELEASE"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-5408.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}