Upon generating the Software Bill of Materials (SBOM) using cdxgen v8.6.0 and uploading it for analysis, the component spring-security-crypto version 5.8.12 was flagged as vulnerable under CVE-2020-5408 in the audit vulnerabilities section.
Details of the Issue:
Component: spring-security-crypto
Version: 5.8.12
CVE ID: CVE-2020-5408
CVE-2020-5408 Description:
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16, and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Issue:
There is no mention of version 5.8.x being affected by this vulnerability in the CVE details. Additionally, I verified on Maven Repository, and there are no vulnerabilities listed for version 5.8.12.
Request:
I would like to request a review of this detection to ensure the accuracy of the vulnerability data. If this is a false positive, it would be helpful to correct the detection rules to prevent similar issues in the future.
Expected Behavior
the component is not vulnerable and should not be flagged as vulnerable
Current Behavior
Steps to Reproduce
Upon generating the Software Bill of Materials (SBOM) using cdxgen v8.6.0 and uploading it for analysis, the component spring-security-crypto version 5.8.12 was flagged as vulnerable under CVE-2020-5408 in the audit vulnerabilities section.
Details of the Issue: Component: spring-security-crypto Version: 5.8.12 CVE ID: CVE-2020-5408 CVE-2020-5408 Description: Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16, and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Issue: There is no mention of version 5.8.x being affected by this vulnerability in the CVE details. Additionally, I verified on Maven Repository, and there are no vulnerabilities listed for version 5.8.12.
Request: I would like to request a review of this detection to ensure the accuracy of the vulnerability data. If this is a false positive, it would be helpful to correct the detection rules to prevent similar issues in the future.
Expected Behavior
the component is not vulnerable and should not be flagged as vulnerable
Dependency-Track Version
4.10.x
Dependency-Track Distribution
Executable WAR
Database Server
PostgreSQL
Database Server Version
15
Browser
Google Chrome
Checklist