[ https://issues.apache.org/jira/browse/ATLAS-3854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17142382#comment-17142382 ]
ASF subversion and git services commented on ATLAS-3854: -------------------------------------------------------- Commit c8cf4765bb519fbe4cd4962ce9ab22999fdfaa4b in atlas's branch refs/heads/master from Mandar Ambawane [ https://gitbox.apache.org/repos/asf?p=atlas.git;h=c8cf476 ] ATLAS-3854 Upgrade Spring Security version to 4.2.16 Signed-off-by: Sarath Subramanian <sar...@apache.org> > Upgrade Spring Security version to 4.2.16 > ----------------------------------------- > > Key: ATLAS-3854 > URL: https://issues.apache.org/jira/browse/ATLAS-3854 > Project: Atlas > Issue Type: Bug > Reporter: Mandar Ambawane > Assignee: Mandar Ambawane > Priority: Major > > Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x > prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed > null initialization vector with CBC Mode in the implementation of the > queryable text encryptor. A malicious user with access to the data that has > been encrypted using such an encryptor may be able to derive the unencrypted > values using a dictionary attack. > To resolve this need to upgrade Spring security to 4.2.16 -- This message was sent by Atlassian Jira (v8.3.4#803005)