CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
50.0%
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF
attacks through CORS preflight requests that target Spring MVC
(spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.
Only non-authenticated endpoints are vulnerable because preflight requests
should not include credentials and therefore requests should fail
authentication. However a notable exception to this are Chrome based
browsers when using client certificates for authentication since Chrome
sends TLS client certificates in CORS preflight requests in violation of
spec requirements. No HTTP body can be sent or received as a result of this
attack.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libspring-java | < any | UNKNOWN |
ubuntu | 20.04 | noarch | libspring-java | < any | UNKNOWN |
ubuntu | 22.04 | noarch | libspring-java | < any | UNKNOWN |
ubuntu | 24.04 | noarch | libspring-java | < any | UNKNOWN |
ubuntu | 14.04 | noarch | libspring-java | < any | UNKNOWN |
ubuntu | 16.04 | noarch | libspring-java | < any | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
50.0%