Spring Sonartype vulnerability CVE-2020-5408 in spring-security-crypto

Affects: \5.3.3. RELEASE Issue Title : Sonartype vulnerability CVE-2020-5408 in spring-security-crypto

Issue-:Sonartype vulnerability CVE-2020-5408 in spring-security-crypto

Description Description from CVE Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Explanation The spring-security-crypto package, also known as Spring Security Crypto Module, is vulnerable due to Not Using a Random IV with CBC Mode. The queryableText method in Encryptors.class which serves as the queryable text encryptor, utilises a fixed null initialization vector with CBC mode, which is not secure. An attacker can exploit this vulnerability via Dictionary Attacks to potentially derive unencrypted values of data encrypted using this method.

Advisory Deviation Notice: The Sonatype security research team discovered that this issue is not yet fixed as new versions simply @deprecated the vulnerable method, as mentioned in the advisory as opposed to replacing it with a safe alternative. Therefore, these are still flagged as vulnerable.

Detection The application is vulnerable by using this component, if it uses queryableText(CharSequence, CharSequence) in Encryptors.class for querying encrypted data.

Recommendation There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control.

NOTE: In the "fixed versions" released by Spring, the vulnerable queryableText encryptor has simply been @deprecated instead of being replaced with a safer option. Therefore, these are still flagged as vulnerable. Whether using a "fixed version" or not,

The note also includes-: All users should discontinue the use of Encryptors#queryableText(CharSequence, CharSequence) and rely on their data store for querying encrypted data.

Reference: https://tanzu.vmware.com/security/cve-2020-5408

Root Cause spring-security-crypto-5.3.3.RELEASE.jarorg/springframework/security/crypto/encrypt/Encryptors.class( , ) Advisories Projecthttps://github.com/https://github.com/spring-projects/spring-security/issues/8480 Projecthttps://spring.io/blog/2020/05/13/cve-reports-published-for-spring-security Projecthttps://tanzu.vmware.com/security/https://github.com/advisories/GHSA-2ppp-9496-p23q CVSS Details CVE CVSS 36.5 CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Comment From: pcc-gambhp

Please see- I have take the format from https://github.com/spring-projects/spring-framework/issues/24434

Comment From: bclozel

Please don't open duplicate issues. Duplicates #28934