Vulnerabilities disclosed in spring-security-crypto and xmlschema-core

Issue date: 14-06-2023
Affects versions: 15.2, 15.1, 14.7, 13.4

Security Issue ID

SECURITY-403

SECURITY 405

Affected Product Version(s)

15.2.2, 15.1.4, 14.7.12, 13.4.21 and previous releases.

Severity

Medium

Description

CVE-2020-5408 suppress

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

CWE-330 Use of Insufficiently Random Values

CVSSv3:

Base Score: MEDIUM (6.5)
Vector: /AV:N/AC:L/Au:/C:H/I:N/A:N

CVSSv2:

Base Score: 4.0 MEDIUM
Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.3, 14.7.14, 13.4.23.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Vulnerabilities disclosed in spring-security-crypto and xmlschema-core