CVE-2020-5408
Encryption Issue vulnerability in org.springframework.security:spring-security-core
What is CVE-2020-5408 About?
Spring Security versions prior to 5.3.2, 5.2.4, 5.1.10, 5.0.16 and 4.2.16 use a fixed null initialization vector (IV) with CBC Mode when implementing the queryable text encryptor. This allows a malicious user with access to the encrypted data to potentially derive the unencrypted values using a dictionary attack. The impact is data decryption and sensitive information exposure. Exploitation is possible after gaining access to the encrypted data.
Affected Software
- org.springframework.security:spring-security-core
- >5.3.0, <5.3.2
- <4.2.16
- >5.2.0, <5.2.4
- >5.1.0, <5.1.10
- >5.0.0, <5.0.16
Technical Details
The vulnerability in Spring Security's `queryable text encryptor` implementation arises from the use of a fixed null initialization vector (IV) in Counter Block Chaining (CBC) mode. In CBC mode, an IV is essential for ensuring that identical plaintexts produce different ciphertexts, preventing patterns from appearing in the encrypted data. A fixed or predictable IV, especially a null one, negates this security feature. An attacker who has access to the encrypted data can leverage this weakness with a dictionary attack. By encrypting common words or phrases with the same known fixed null IV, the attacker can compare the resulting ciphertexts with the intercepted encrypted data. A match reveals the original plaintext, allowing for data decryption and disclosure of sensitive information.
What is the Impact of CVE-2020-5408?
Successful exploitation may allow attackers to decrypt sensitive data encrypted by the application, leading to information disclosure, privacy breaches, and potentially further compromise of user accounts or systems.
What is the Exploitability of CVE-2020-5408?
Exploitation of this vulnerability requires an attacker to first gain access to the data that has been encrypted using the vulnerable `queryable text encryptor`. The complexity depends on obtaining the encrypted data. No specific authentication is required for the decryption process itself, once the encrypted data is acquired. It is a local vulnerability in the sense that the attacker needs the encrypted data. There are no special conditions beyond having the encrypted data. The risk factors that increase exploitation likelihood include persistent storage of encrypted data in logs or databases, or insecure transmission of encrypted data where it can be intercepted.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-5408?
Available Upgrade Options
- org.springframework.security:spring-security-core
- <4.2.16 → Upgrade to 4.2.16
- org.springframework.security:spring-security-core
- >5.0.0, <5.0.16 → Upgrade to 5.0.16
- org.springframework.security:spring-security-core
- >5.1.0, <5.1.10 → Upgrade to 5.1.10
- org.springframework.security:spring-security-core
- >5.2.0, <5.2.4 → Upgrade to 5.2.4
- org.springframework.security:spring-security-core
- >5.3.0, <5.3.2 → Upgrade to 5.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-2ppp-9496-p23q
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://tanzu.vmware.com/security/cve-2020-5408
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-5408
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://tanzu.vmware.com/security/cve-2020-5408
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
What are Similar Vulnerabilities to CVE-2020-5408?
Similar Vulnerabilities: CVE-2015-7575 , CVE-2016-5696 , CVE-2017-1000350 , CVE-2018-1258 , CVE-2020-13936
