1124 matches found
GHSA-2PPP-9496-P23Q Insufficient Entropy in Spring Security
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...
Insufficient Entropy in Spring Security
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...
com.buession.cas:buession-cas-audit (>=2.0.0 <=2.2.1), com.buession.cas:buession-cas-captcha (>=2.0.0 <=2.2.1) +624 more potentially affected by CVE-2020-5408 via org.springframework.security:spring-security-core (>=5.3.0.RELEASE <=5.3.1.RELEASE)
org.springframework.security:spring-security-core MAVEN version =5.3.0.RELEASE, =2.0.0, =2.0.0, =1.1.1, =1.1.1, =2.0.0, =1.1.1, =2.3.0, =1.1.1, =2.0.0, =2.0.0, =1.3.0, =1.1.1, =1.1.1, =1.1.1, =2.0.0, =2.3.3 and more Source cves: CVE-2020-5408 Source advisory: OSV:GHSA-2PPP-9496-P23Q...
ai.foremast.metrics:foremast-spring-boot-1x-k8s-metrics-starter (>=0.1.6 <=0.1.7), ai.foremast.metrics:foremast-spring-boot-k8s-metrics-starter (>=0.1.4-SB1X <=0.1.4-SB1X_6) +2637 more potentially affected by CVE-2020-5408 via org.springframework.security:spring-security-core (>=2.0.0 <=4.2.15.RELEASE)
org.springframework.security:spring-security-core MAVEN version =2.0.0, =0.1.6, =0.1.4-SB1X, =1.0.0, =1.0.0, =1.0.0, =1.1.0.RELEASE, =1.1.1, =1.3.1-RELEASE, =0.3.3, =0.1, =1.0.0, =1.2.1, =2.0.0, =3.0.3, =3.0.6 and more Source cves: CVE-2020-5408 Source advisory: OSV:GHSA-2PPP-9496-P23Q...
ai.hyacinth.framework:core-service-gateway-server (=0.5.24), au.org.consumerdatastandards:data-holder (>=1.0.0 <=1.12.0) +1476 more potentially affected by CVE-2020-5408 via org.springframework.security:spring-security-core (>=5.2.0.RELEASE <=5.2.3.RELEASE)
org.springframework.security:spring-security-core MAVEN version =5.2.0.RELEASE, =1.0.0, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.12 - br.com.damsete:logging =0.0.1 - cc.cc4414:cc-spring-auth-server =0.5.1 - cc.cc4414:cc-spring-resource-starter =0.5.1 -...
ch.rasc:wamp2spring-security (=1.0.0), cn.springcloud.gray:spring-cloud-gray-server (>=B.0.0.1 <=B.0.0.6) +209 more potentially affected by CVE-2020-5408 via org.springframework.security:spring-security-core (>=5.0.0.RELEASE <=5.0.15.RELEASE)
org.springframework.security:spring-security-core MAVEN version =5.0.0.RELEASE, =B.0.0.1, =B.0.0.1, =B.0.0.1, =B.0.0.2, =B.0.0.1, =2.21.8, =0.3.0, =2017.11.28, =2018.1.20 - com.netflix.genie:genie-app =4.0.0-rc.2 and more Source cves: CVE-2020-5408 Source advisory: OSV:GHSA-2PPP-9496-P23Q...
com.buession.cas:buession-cas-audit (>=2.0.0 <=2.2.1), com.buession.cas:buession-cas-captcha (>=2.0.0 <=2.2.1) +624 more potentially affected by CVE-2020-5407 via org.springframework.security:spring-security-core (>=5.3.0.RELEASE <=5.3.1.RELEASE)
org.springframework.security:spring-security-core MAVEN version =5.3.0.RELEASE, =2.0.0, =2.0.0, =1.1.1, =1.1.1, =2.0.0, =1.1.1, =2.3.0, =1.1.1, =2.0.0, =2.0.0, =1.3.0, =1.1.1, =1.1.1, =1.1.1, =2.0.0, =2.3.3 and more Source cves: CVE-2020-5407 Source advisory: OSV:GHSA-48RW-J489-928M...
Signature wrapping vulnerability in Spring Security
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
ai.hyacinth.framework:core-service-gateway-server (=0.5.24), au.org.consumerdatastandards:data-holder (>=1.0.0 <=1.12.0) +1476 more potentially affected by CVE-2020-5407 via org.springframework.security:spring-security-core (>=5.2.0.RELEASE <=5.2.3.RELEASE)
org.springframework.security:spring-security-core MAVEN version =5.2.0.RELEASE, =1.0.0, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.12 - br.com.damsete:logging =0.0.1 - cc.cc4414:cc-spring-auth-server =0.5.1 - cc.cc4414:cc-spring-resource-starter =0.5.1 -...
GHSA-48RW-J489-928M Signature wrapping vulnerability in Spring Security
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
Information Disclosure
spring-security-core is vulnerable to Information Disclosure. The vulnerability exists as it uses a fixed null initialization vector with CBC Mode for the queryable text encryptor rather than handling the null value passed to the function BCryptPasswordEncoder.encode, thereby allowing a user with...
Spring Security Security Feature Issue Vulnerability
Spring Security, formerly known as Acegi Security , is a framework used by the Spring project team to provide secure authentication services. A security signature issue vulnerability exists in Spring Security. An attacker can exploit this vulnerability to obtain unencrypted values with the help o...
CVE-2020-5408
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...
CVE-2020-5408
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...
CVE-2020-5408
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...
Null pointer dereference
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...
CVE-2020-5408
CVE-2020-5408 (IBM) affects IBM Sterling Connect:Direct Web Services. A fixed null initialization vector in CBC mode for the queryable text encryptor may allow a dictionary attack to derive unencrypted values, exposing sensitive information. Remediation is via upgrading to supported fixes: IBM St...
CVE-2020-5408 Dictionary attack with Spring Security queryable text encryptor
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...
VMware Spring Security Data Forgery Issue Vulnerability
VMware Spring Security is a set of security frameworks from VMware that provide illustrative security for Spring-based applications. A data forgery issue vulnerability exists in VMware Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2. A remote attacker could exploit this...
CVE-2020-5407
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...