CVE-2020-5408— Dictionary attack with Spring Security queryable text encryptor
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-5408
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dictionary attack with Spring Security queryable text encryptor
Source: NVD (National Vulnerability Database)
Vulnerability Description
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在CBC加密模式中未使用随机化IV向量
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vmware VMware Spring Security 安全特征问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vmware VMware Spring Security是美国威睿(Vmware)公司的一套为基于Spring的应用程序提供说明性安全保护的安全框架。 VMware Spring Security中存在安全特征问题漏洞。攻击者可借助字典攻击利用该漏洞获取未加密的值。以下产品及版本受到影响:Spring Security 5.3.2之前的5.3.x版本,5.2.4之前的5.2.x版本,5.1.10之前的5.1.x版本,5.0.16之前的5.0.x版本,4.2.16之前的4.2.x版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring by VMware | Spring Security | 4.2 ~ 4.2.16 | - |
II. Public POCs for CVE-2020-5408
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-5408
Please Login to view more intelligence information
- https://www.oracle.com/security-alerts/cpujan2021.htmlx_refsource_MISC
- https://www.oracle.com/security-alerts/cpuApr2021.htmlx_refsource_MISC
- https://tanzu.vmware.com/security/cve-2020-5408x_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpuoct2020.htmlx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2020-5408
IV. Related Vulnerabilities
Same product: Spring Security
- CVE-2026-22754
ervlet Path Not Correctly Included in Path Matching of XML A - CVE-2026-22753
Servlet Path Not Correctly Included in Path Matching of Http - CVE-2026-22748
Potential Security Misconfiguration when Using withIssuerLoc - CVE-2026-22747
Unauthorized User Impersonation when Using X.509 Client Cert - CVE-2026-22746
User Attribute Enumeration when Using DaoAuthenticationProvi
Same vendor: Spring by VMware
- CVE-2020-5427
Possibility of SQL Injection in Spring Cloud Data Flow Task - CVE-2020-5428
Possibility of SQL Injection in Spring Cloud Task Execution - CVE-2020-5421
RFD Protection Bypass via jsessionid - CVE-2020-5412
Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dash - CVE-2020-5413
Kryo Configuration Allows Code Execution with Unknown "Seria
Same weakness: CWE-329
V. Comments for CVE-2020-5408
No comments yet