QwikSec

Security Database

CVE

CWE

Training

CVE-2020-5407

Published: May 13, 2020

Modified: Sep 16, 2024

PUBLISHED

Description

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

Vendor	Product	Versions
Spring by VMware	Spring Security	affected `5.2 - < 5.2.4` affected `5.3 - < 5.3.2`

Weaknesses (CWE)

References

[servicemix-issues] 20200514 [jira] [Created] (SM-4384) Create OSGi bundles for spring-security 5.3.2.RELEASE + 5.1.10.RELEASE

mailing-list

x_refsource_MLIST

[geode-dev] 20200521 Re: Proposal to backport GEODE-8167

mailing-list

x_refsource_MLIST

[geode-dev] 20200521 Proposal to backport GEODE-8167

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpuoct2020.html

x_refsource_MISC

https://tanzu.vmware.com/security/cve-2020-5407

x_refsource_CONFIRM

https://www.oracle.com/security-alerts/cpujan2021.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuApr2021.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.