Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvePivotalCVE-2020-5397
HistoryJan 17, 2020 - 7:15 p.m.

CVE-2020-5397

2020-01-1719:15:14
CWE-352
pivotal
web.nvd.nist.gov
196
2
cve-2020-5397
csrf
spring framework
cors
preflight requests
vulnerability
nvd

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

50.0%

JSON

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Affected configurations

Nvd
Node
vmwarespring_frameworkRange5.2.05.2.3
Node
oracleapplication_testing_suiteMatch13.3.0.1
OR
oraclecommunications_brm_-_elastic_charging_engineMatch11.3
OR
oraclecommunications_brm_-_elastic_charging_engineMatch12.0
OR
oraclecommunications_diameter_signaling_routerRange8.0.08.2.2
OR
oraclecommunications_element_managerMatch8.1.1
OR
oraclecommunications_element_managerMatch8.2.0
OR
oraclecommunications_element_managerMatch8.2.1
OR
oraclecommunications_policy_managementMatch12.5.0
OR
oraclecommunications_session_route_managerMatch8.1.1
OR
oraclecommunications_session_route_managerMatch8.2.0
OR
oraclecommunications_session_route_managerMatch8.2.1
OR
oracleenterprise_manager_base_platformMatch13.2.1.0
OR
oraclefinancial_services_regulatory_reporting_with_agilereporterMatch8.0.9.2.0
OR
oracleflexcube_private_bankingMatch12.0.0
OR
oracleflexcube_private_bankingMatch12.1.0
OR
oraclehealthcare_master_person_indexMatch4.0.2
OR
oracleinsurance_calculation_engineRange11.0.011.3.1
OR
oracleinsurance_policy_administration_j2eeMatch10.2.0
OR
oracleinsurance_policy_administration_j2eeMatch10.2.4
OR
oracleinsurance_policy_administration_j2eeMatch11.0.2
OR
oracleinsurance_policy_administration_j2eeMatch11.1.0
OR
oracleinsurance_policy_administration_j2eeMatch11.2.0
OR
oracleinsurance_rules_paletteMatch10.2.0
OR
oracleinsurance_rules_paletteMatch10.2.4
OR
oracleinsurance_rules_paletteMatch11.0.2
OR
oracleinsurance_rules_paletteMatch11.1.0
OR
oracleinsurance_rules_paletteMatch11.2.0
OR
oraclemysql_enterprise_monitorRange4.0.04.0.12
OR
oraclemysql_enterprise_monitorRange8.0.08.0.20
OR
oraclerapid_planningMatch12.1
OR
oraclerapid_planningMatch12.2
OR
oracleretail_assortment_planningMatch15.0
OR
oracleretail_assortment_planningMatch16.0
OR
oracleretail_back_officeMatch14.1
OR
oracleretail_central_officeMatch14.1
OR
oracleretail_financial_integrationMatch15.0
OR
oracleretail_financial_integrationMatch16.0
OR
oracleretail_integration_busMatch15.0.3
OR
oracleretail_integration_busMatch16.0.3
OR
oracleretail_order_brokerMatch15.0
OR
oracleretail_order_brokerMatch16.0
OR
oracleretail_point-of-serviceMatch14.1
OR
oracleretail_predictive_application_serverMatch14.0.3
OR
oracleretail_predictive_application_serverMatch14.1.3
OR
oracleretail_predictive_application_serverMatch15.0.3.0
OR
oracleretail_predictive_application_serverMatch16.0.3.0
OR
oracleretail_returns_managementMatch14.1
OR
oracleretail_service_backboneMatch15.0
OR
oracleretail_service_backboneMatch16.0
OR
oracleweblogic_serverMatch12.2.1.3.0
OR
oracleweblogic_serverMatch12.2.1.4.0
VendorProductVersionCPE
vmwarespring_framework*cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
oracleapplication_testing_suite13.3.0.1cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
oraclecommunications_brm_-_elastic_charging_engine11.3cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*
oraclecommunications_brm_-_elastic_charging_engine12.0cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
oraclecommunications_diameter_signaling_router*cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
oraclecommunications_element_manager8.1.1cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
oraclecommunications_element_manager8.2.0cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
oraclecommunications_element_manager8.2.1cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
oraclecommunications_policy_management12.5.0cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
oraclecommunications_session_route_manager8.1.1cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
Rows per page:
1-10 of 511

CNA Affected

[
  {
    "product": "Spring Framework",
    "vendor": "Spring",
    "versions": [
      {
        "lessThan": "v5.2.3.RELEASE",
        "status": "affected",
        "version": "5.2",
        "versionType": "custom"
      }
    ]
  }
]

Social References

More

Related

ubuntucve 1
osv 2
ibm 2
veracode 1
redhatcve 1
debiancve 1
cvelist 1
prion 1
github 1
nvd 1
oracle 6
ubuntucve
ubuntucve
CVE-2020-5397
2020-01-17 00:00:00
osv
osv
CSRF attack via CORS preflight requests with Spring MVC or Spring WebFlux
2020-01-21 20:59:33
CVE-2020-5397
2020-01-17 19:15:14
ibm
ibm
Security Bulletin: A CSRF vulnerability in Pivotal Spring Framework affects IBM LKS Administration & Reporting Tool
2020-04-03 06:01:24
Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities
2020-07-02 19:10:46
veracode
veracode
Cross-Site Request Forgery (CSRF)
2020-01-17 04:31:22
redhatcve
redhatcve
CVE-2020-5397
2020-02-07 14:44:17
debiancve
debiancve
CVE-2020-5397
2020-01-17 19:15:14
cvelist
cvelist
CVE-2020-5397 CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux
2020-01-17 18:50:12
prion
prion
Cross site request forgery (csrf)
2020-01-17 19:15:00
github
github
CSRF attack via CORS preflight requests with Spring MVC or Spring WebFlux
2020-01-21 20:59:33
nvd
nvd
CVE-2020-5397
2020-01-17 19:15:14
oracle
oracle
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00
Oracle Critical Patch Update Advisory - July 2021
2021-07-20 00:00:00
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

50.0%

JSON
Related for CVE-2020-5397
ubuntucve1osv2ibm2veracode1redhatcve1debiancve1cvelist1prion1github1nvd1oracle6