CVE-2020-5421: In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks…

medium6.5CVSS 3.1

AVNACHPRLUIRSCCLIHAN

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Affected

75 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	libspring-java	< libspring-java 4.3.30-1 (bookworm)	libspring-java 4.3.30-1 (bookworm)
oracle	commerce_guided_search	—	—
oracle	communications_brm	—	—
oracle	communications_brm	—	—
oracle	communications_design_studio	—	—
oracle	communications_design_studio	—	—
oracle	communications_design_studio	—	—
oracle	communications_session_report_manager	8.2.1 – 8.2.2.1	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	endeca_information_discovery_integrator	—	—
oracle	enterprise_data_quality	—	—
oracle	enterprise_data_quality	—	—
oracle	financial_services_analytical_applications_infrastructure	8.0.6 – 8.1.0	—
oracle	flexcube_private_banking	—	—
oracle	flexcube_private_banking	—	—
oracle	fusion_middleware	—	—
oracle	fusion_middleware	—	—
oracle	goldengate_application_adapters	—	—
oracle	healthcare_master_person_index	—	—
oracle	hyperion_infrastructure_technology	—	—
oracle	insurance_policy_administration	—	—
oracle	insurance_policy_administration	—	—
oracle	insurance_policy_administration	—	—
oracle	insurance_policy_administration	11.1.0 – 11.3.0	—

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

ghsa9.6CRITICAL

osv9.6CRITICAL