Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2020-5397

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

CVSS v3:

  • Severity: Medium
  • Score: 5.3
  • AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

  • Severity: Low
  • Score: 2.6
  • AV:N/AC:H/Au:N/C:N/I:P/A:N

CWEs:

Software From Fixed in
vmware / spring_framework 5.2.0 5.2.3
oracle / flexcube_private_banking 12.1.0 12.1.0.x
oracle / insurance_policy_administration_j2ee 10.2.0 10.2.0.x
oracle / flexcube_private_banking 12.0.0 12.0.0.x
oracle / insurance_rules_palette 10.2.0 10.2.0.x
oracle / retail_service_backbone 15.0 15.0.x
oracle / retail_back_office 14.1 14.1.x
oracle / weblogic_server 12.2.1.3.0 12.2.1.3.0.x
oracle / application_testing_suite 13.3.0.1 13.3.0.1.x
oracle / retail_order_broker 15.0 15.0.x
oracle / retail_order_broker 16.0 16.0.x
oracle / retail_returns_management 14.1 14.1.x
oracle / retail_central_office 14.1 14.1.x
oracle / retail_assortment_planning 15.0 15.0.x
oracle / retail_point-of-service 14.1 14.1.x
oracle / retail_assortment_planning 16.0 16.0.x
oracle / retail_financial_integration 15.0 15.0.x
oracle / retail_financial_integration 16.0 16.0.x
oracle / communications_policy_management 12.5.0 12.5.0.x
oracle / weblogic_server 12.2.1.4.0 12.2.1.4.0.x
oracle / rapid_planning 12.1 12.1.x
oracle / rapid_planning 12.2 12.2.x
oracle / communications_element_manager 8.2.0 8.2.0.x
oracle / communications_element_manager 8.2.1 8.2.1.x
oracle / communications_element_manager 8.1.1 8.1.1.x
oracle / mysql_enterprise_monitor 8.0.0 8.0.20.x
oracle / communications_diameter_signaling_router 8.0.0 8.2.2.x
oracle / retail_predictive_application_server 15.0.3.0 15.0.3.0.x
oracle / retail_predictive_application_server 16.0.3.0 16.0.3.0.x
oracle / communications_session_route_manager 8.1.1 8.1.1.x
oracle / communications_session_route_manager 8.2.0 8.2.0.x
oracle / communications_session_route_manager 8.2.1 8.2.1.x
oracle / retail_service_backbone 16.0 16.0.x
oracle / retail_integration_bus 15.0.3 15.0.3.x
oracle / retail_predictive_application_server 14.0.3 14.0.3.x
oracle / retail_integration_bus 16.0.3 16.0.3.x
oracle / insurance_rules_palette 10.2.4 10.2.4.x
oracle / insurance_rules_palette 11.0.2 11.0.2.x
oracle / insurance_rules_palette 11.1.0 11.1.0.x
oracle / insurance_rules_palette 11.2.0 11.2.0.x
oracle / insurance_policy_administration_j2ee 10.2.4 10.2.4.x
oracle / insurance_policy_administration_j2ee 11.0.2 11.0.2.x
oracle / insurance_policy_administration_j2ee 11.1.0 11.1.0.x
oracle / insurance_policy_administration_j2ee 11.2.0 11.2.0.x
oracle / healthcare_master_person_index 4.0.2 4.0.2.x
oracle / financial_services_regulatory_reporting_with_agilereporter 8.0.9.2.0 8.0.9.2.0.x
oracle / enterprise_manager_base_platform 13.2.1.0 13.2.1.0.x
oracle / mysql_enterprise_monitor 4.0.0 4.0.12.x
oracle / retail_predictive_application_server 14.1.3 14.1.3.x
oracle / insurance_calculation_engine 11.0.0 11.3.1.x
oracle / communications_brm_-_elastic_charging_engine 12.0 12.0.x
oracle / communications_brm_-_elastic_charging_engine 11.3 11.3.x
org.springframework / spring-webmvc 5.2.0 5.2.3
org.springframework / spring-webflux 5.2.0 5.2.3