CVE-2020-5421

CWE-3515 documents8 sources
Severity
6.5MEDIUM
EPSS
63.8%
top 1.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
36
Spring BY Vmware Spring FrameworkVmware Spring FrameworkOracle Communications Session Report Manager+33 more
Timeline
PublishedSep 19
Latest updateJan 15

Description

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:NExploitability: 1.3 | Impact: 4.7

Affected Packages38 packages

NVDvmware/spring_framework5.0.05.0.19+3
CVEListV5spring_by_vmware/spring_framework4.34.3.29+3
Debianlibspring-java< 4.3.30-1+3
NVDoracle/primavera_gateway16.2.016.2.11+3

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Improper Input Validation in Spring Framework2021-04-30
GHSA
Improper Input Validation in Spring Framework2021-04-30
OSV
CVE-2020-5421: In Spring Framework versions 52020-09-19
CVEList
RFD Protection Bypass via jsessionid2020-09-19

📋Vendor Advisories

8
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Spring Framework) — CVE-2020-54212024-01-15
Oracle
Oracle Oracle Systems Risk Matrix: Software (Spring Framework) — CVE-2020-54212022-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Inventory (Spring Framework) — CVE-2020-54212022-01-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: General (Spring Framework) — CVE-2020-54212021-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Reservations (Spring Framework) — CVE-2020-54212021-04-15

💬Community

2
Bugzilla
CVE-2020-5421 springframework: RFD protection bypass via jsessionid [fedora-all]2020-09-21
Bugzilla
CVE-2020-5421 springframework: RFD protection bypass via jsessionid2020-09-21