Query
github/codeql#6357
CVE ID(s)
- The query detects CVE-2020-5408 in Spring Security. Please note that the issues has not been patched. They only deprecated the vulnerable methods. Therefore, the query detects the issue on the latest version of Spring Security.
Report
When a cipher is used in certain modes, it needs an initialization vector (IV). IVs are used to randomize the encryption, therefore they should be unique and ideally unpredictable. Otherwise, the same plaintexts result in same ciphertexts under a given secret key. If a static IV is used for encryption, this lets an attacker learn if the same data pieces are transfered or stored, or this can help the attacker run a dictionary attack.
Yes, I am planning to write a blog post about the query.
Result(s)
Query
github/codeql#6357
CVE ID(s)
Report
When a cipher is used in certain modes, it needs an initialization vector (IV). IVs are used to randomize the encryption, therefore they should be unique and ideally unpredictable. Otherwise, the same plaintexts result in same ciphertexts under a given secret key. If a static IV is used for encryption, this lets an attacker learn if the same data pieces are transfered or stored, or this can help the attacker run a dictionary attack.
Yes, I am planning to write a blog post about the query.
Result(s)