Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.4"
},
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.2"
}
],
"source": "CPE_RANGE",
"vendor_product": "pivotal_software:spring_security",
"cpes": [
"cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*"
]
}
]
}{
"cpe": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.16"
},
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.16"
},
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.10"
}
]
}