Vulnerabilities disclosed in spring-security-crypto and xmlschema-core

Issue date: 14-06-2023
Affects versions: 15.2, 15.1, 14.7, 13.4

Security Issue ID

SECURITY-403

SECURITY 405

Affected Product Version(s)

15.2.2, 15.1.4, 14.7.12, 13.4.21 and previous releases.

Severity

Medium

Description

CVE-2020-5408 suppress

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

CWE-330 Use of Insufficiently Random Values

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: /AV:N/AC:L/Au:/C:H/I:N/A:N

CVSSv2:

Base Score: 4.0 MEDIUM
Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.3, 14.7.14, 13.4.23.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Vulnerabilities disclosed in spring-security-crypto and xmlschema-core