Vigil@nce - Spring Security: information disclosure via CBC Null Initialization Vector
December 2020 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/?langue=2
SYNTHESIS OF THE VULNERABILITY
Impacted products: QRadar SIEM, Tivoli Storage Manager, Oracle
Communications.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet server.
Confidence: confirmed by the editor (5/5).
Creation date: 08/10/2020.
DESCRIPTION OF THE VULNERABILITY
An attacker can bypass access restrictions to data via CBC Null
Initialization Vector of Spring Security, in order to obtain
sensitive information.
ACCESS TO THE FULL VIGIL@NCE BULLETIN