Sonatype vulnerability CVE-2020-5408 in spring-security-crypto #28934
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
What is the purpose of this issue? You've copied a Spring Security CVE advisory but failed to explain the problem. I'm closing this as invalid. |
bclozel
added
status: invalid
|
Can you please see the issue. I have take the format from #24434 |
|
@pulkitpcc except the CVE is about Spring Security and you've copy/pasted the title that states it's related to Spring Web. Whatever you're suggesting is in the wrong issue tracker as well. |
pcc-gambhp
changed the title
@snicoll I have updated the title accordingly. |
|
@pulkitpcc Spring Framework doesn't depend on Spring Security so there's nothing we can do about this here. If you have questions about this CVE you should read the official advisory (mitigation section) or ask a question on StackOverlow. |
Thanks! |
Affects: \5.3.3. RELEASE
Issue Title : Sonatype vulnerability CVE-2020-5408 in spring-security-crypto
Issue-:Sonatype vulnerability CVE-2020-5408 in spring-security-crypto
Description
Description from CVE
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Explanation
The spring-security-crypto package, also known as Spring Security Crypto Module, is vulnerable due to Not Using a Random IV with CBC Mode. The queryableText method in Encryptors.class which serves as the queryable text encryptor, utilises a fixed null initialization vector with CBC mode, which is not secure. An attacker can exploit this vulnerability via Dictionary Attacks to potentially derive unencrypted values of data encrypted using this method.
Advisory Deviation Notice: The Sonatype security research team discovered that this issue is not yet fixed as new versions simply @deprecated the vulnerable method, as mentioned in the advisory as opposed to replacing it with a safe alternative. Therefore, these are still flagged as vulnerable.
Detection
The application is vulnerable by using this component, if it uses queryableText(CharSequence, CharSequence) in Encryptors.class for querying encrypted data.
Recommendation
There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control.
NOTE: In the "fixed versions" released by Spring, the vulnerable queryableText encryptor has simply been @deprecated instead of being replaced with a safer option. Therefore, these are still flagged as vulnerable. Whether using a "fixed version" or not,
The note also includes-:
All users should discontinue the use of Encryptors#queryableText(CharSequence, CharSequence) and rely on their data store for querying encrypted data.
Reference: https://tanzu.vmware.com/security/cve-2020-5408
Root Cause
spring-security-crypto-5.3.3.RELEASE.jarorg/springframework/security/crypto/encrypt/Encryptors.class( , )
Advisories
Projecthttps://github.com/spring-projects/spring-security/issues/8480
Projecthttps://spring.io/blog/2020/05/13/cve-reports-published-for-spring-security
Projecthttps://tanzu.vmware.com/security/cve-2020-5408
CVSS Details
CVE CVSS 36.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The text was updated successfully, but these errors were encountered: