Описание
Insufficient Entropy in Spring Security
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Пакеты
org.springframework.security:spring-security-core
>= 5.3.0, < 5.3.2
5.3.2
org.springframework.security:spring-security-core
>= 5.2.0, < 5.2.4
5.2.4
org.springframework.security:spring-security-core
>= 5.1.0, < 5.1.10
5.1.10
org.springframework.security:spring-security-core
>= 5.0.0, < 5.0.16
5.0.16
org.springframework.security:spring-security-core
< 4.2.16
4.2.16
Связанные уязвимости
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5 ...
Уязвимость Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, связанная с использованием недостаточно случайных значений, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации