QwikSec

Security Database

CVE

CWE

Training

CVE-2020-5421

Published: Sep 19, 2020

Modified: Sep 17, 2024

PUBLISHED

CVSS v3.0

8.7

HIGH

Description

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Vendor	Product	Versions
Spring by VMware	Spring Framework	affected `4.3 - < 4.3.29` affected `5.0 - < 5.0.19` affected `5.1 - < 5.1.18` affected `5.2 - < 5.2.9`

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://tanzu.vmware.com/security/cve-2020-5421

x_refsource_CONFIRM

[ranger-dev] 20201007 Re: Review Request 72934: RANGER-3022: Upgrade Spring framework to version 4.3.29.RELEASE

mailing-list

x_refsource_MLIST

[ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421

mailing-list

x_refsource_MLIST

[ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421

mailing-list

x_refsource_MLIST

[ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421

mailing-list

x_refsource_MLIST

[ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246)

mailing-list

x_refsource_MLIST

[ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421

mailing-list

x_refsource_MLIST

[hive-dev] 20201022 [jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421

mailing-list

x_refsource_MLIST

[hive-issues] 20201022 [jira] [Assigned] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421

mailing-list

x_refsource_MLIST

[hive-issues] 20201022 [jira] [Updated] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421

mailing-list

x_refsource_MLIST

[pulsar-commits] 20201022 [GitHub] [pulsar] Ghatage opened a new pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421

mailing-list

x_refsource_MLIST

[pulsar-commits] 20201023 [GitHub] [pulsar] Ghatage commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421

mailing-list

x_refsource_MLIST

[pulsar-commits] 20201026 [GitHub] [pulsar] wolfstudy commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421

mailing-list

x_refsource_MLIST

[pulsar-commits] 20201028 [GitHub] [pulsar] merlimat merged pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421

mailing-list

x_refsource_MLIST

[ignite-user] 20201117 Query on CVE-2020-5421

mailing-list

x_refsource_MLIST

[ignite-user] 20201119 Re: Query on CVE-2020-5421

mailing-list

x_refsource_MLIST

[hive-issues] 20210107 [jira] [Resolved] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpujan2021.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuApr2021.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20210513-0009/

x_refsource_CONFIRM

https://www.oracle.com//security-alerts/cpujul2021.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuoct2021.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpujan2022.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.