Sonartype vulnerability CVE-2020-5408 in spring-security-crypto #28935
Labels
status: invalid
An issue that we don't feel is valid
Comments
|
Please see- I have take the format from #24434 |
spring-projects-issues
added
the
status: waiting-for-triage
pcc-gambhp
changed the title
|
Please don't open duplicate issues. |
bclozel
added
status: invalid
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affects: \5.3.3. RELEASE
Issue Title : Sonartype vulnerability CVE-2020-5408 in spring-security-crypto
Issue-:Sonartype vulnerability CVE-2020-5408 in spring-security-crypto
Description
Description from CVE
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Explanation
The spring-security-crypto package, also known as Spring Security Crypto Module, is vulnerable due to Not Using a Random IV with CBC Mode. The queryableText method in Encryptors.class which serves as the queryable text encryptor, utilises a fixed null initialization vector with CBC mode, which is not secure. An attacker can exploit this vulnerability via Dictionary Attacks to potentially derive unencrypted values of data encrypted using this method.
Advisory Deviation Notice: The Sonatype security research team discovered that this issue is not yet fixed as new versions simply @deprecated the vulnerable method, as mentioned in the advisory as opposed to replacing it with a safe alternative. Therefore, these are still flagged as vulnerable.
Detection
The application is vulnerable by using this component, if it uses queryableText(CharSequence, CharSequence) in Encryptors.class for querying encrypted data.
Recommendation
There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control.
NOTE: In the "fixed versions" released by Spring, the vulnerable queryableText encryptor has simply been @deprecated instead of being replaced with a safer option. Therefore, these are still flagged as vulnerable. Whether using a "fixed version" or not,
The note also includes-:
All users should discontinue the use of Encryptors#queryableText(CharSequence, CharSequence) and rely on their data store for querying encrypted data.
Reference: https://tanzu.vmware.com/security/cve-2020-5408
Root Cause
spring-security-crypto-5.3.3.RELEASE.jarorg/springframework/security/crypto/encrypt/Encryptors.class( , )
Advisories
Projecthttps://github.com/spring-projects/spring-security#8480
Projecthttps://spring.io/blog/2020/05/13/cve-reports-published-for-spring-security
Projecthttps://tanzu.vmware.com/security/GHSA-2ppp-9496-p23q
CVSS Details
CVE CVSS 36.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The text was updated successfully, but these errors were encountered: