Spring Security

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:spring_by_vmware:spring_security:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorSpring By Vmware (e0b0b549-71d2-5c8a-be30-1f02c144ba93)
ProductSpring Security (fd2895fd-99fe-553b-ae24-b98010c3134f)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2020-5408 vulnerable 2026-06-08 05:26:42.791839 Dictionary attack with Spring Security queryable text encryptor
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Published: 2020-05-14T17:15:13.256Z
Updated: 2024-09-17T01:01:47.960Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-5407 vulnerable 2026-06-08 05:26:42.790115 Signature Wrapping Vulnerability with spring-security-saml2-service-provider
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.
Published: 2020-05-13T17:00:15.881Z
Updated: 2024-09-16T23:56:17.066Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.