CVE-2020-5421
MEDIUMCVSS 6.5/10EPSS 10.74%
Last modified
CVE-2020-5421 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.. EPSS estimates a 10.74% chance of exploitation in the next 30 days.
Description
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Framework | < 4.3.29 |
| Vmware | Spring Framework | >= 5.0.0, < 5.0.19 |
| Vmware | Spring Framework | >= 5.1.0, < 5.1.18 |
| Vmware | Spring Framework | >= 5.2.0, < 5.2.9 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Brm | 11.3.0.9 |
| Oracle | Communications Brm | 12.0.0.3 |
| Oracle | Communications Design Studio | 7.3.4 |
| Oracle | Communications Design Studio | 7.3.5 |
| Oracle | Communications Design Studio | 7.4.0 |
| Oracle | Communications Session Report Manager | >= 8.2.1, <= 8.2.2.1 |
| Oracle | Communications Unified Inventory Management | 7.3.4 |
| Oracle | Communications Unified Inventory Management | 7.3.5 |
| Oracle | Endeca Information Discovery Integrator | 3.2.0 |
| Oracle | Enterprise Data Quality | 12.2.1.3.0 |
| Oracle | Enterprise Data Quality | 12.2.1.4.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.0 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Flexcube Private Banking | 12.1.0 |
| Oracle | Fusion Middleware | 12.2.1.3.0 |
| Oracle | Fusion Middleware | 12.2.1.4.0 |
| Oracle | Goldengate Application Adapters | 19.1.0.0.0 |
| Oracle | Healthcare Master Person Index | 4.0.2.5 |
| Oracle | Hyperion Infrastructure Technology | 11.1.2.4 |
| Oracle | Insurance Policy Administration | >= 11.1.0, <= 11.3.0 |
| Oracle | Insurance Policy Administration | 10.2 |
| Oracle | Insurance Policy Administration | 10.2.4 |
| Oracle | Insurance Policy Administration | 11.0.2 |
| Oracle | Insurance Rules Palette | >= 11.1.0, <= 11.3.0 |
| Oracle | Insurance Rules Palette | 10.2.0 |
| Oracle | Insurance Rules Palette | 10.2.4 |
| Oracle | Insurance Rules Palette | 11.0.2 |
| Oracle | Mysql Enterprise Monitor | <= 8.0.22 |
| Oracle | Mysql Enterprise Monitor | 8.0.23 |
| Oracle | Primavera Gateway | >= 16.2.0, <= 16.2.11 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.9 |
| Oracle | Primavera Gateway | >= 18.8.0, <= 18.8.10 |
| Oracle | Primavera Gateway | >= 19.12.0, <= 19.12.10 |
| Oracle | Primavera P6 Enterprise Project Portfolio Management | >= 16.1.0, <= 16.2.20 |
| Oracle | Primavera P6 Enterprise Project Portfolio Management | >= 17.1.0, <= 17.12.19 |
| Oracle | Primavera P6 Enterprise Project Portfolio Management | >= 18.1.0, <= 18.8.21 |
| Oracle | Primavera P6 Enterprise Project Portfolio Management | >= 19.12.0, <= 19.12.10 |
| Oracle | Retail Assortment Planning | 16.0.3.0 |
| Oracle | Retail Bulk Data Integration | 16.0.3.0 |
| Oracle | Retail Customer Engagement | >= 16.0, <= 19.0 |
| Oracle | Retail Customer Management And Segmentation Foundation | >= 16.0, <= 19.0 |
| Oracle | Retail Financial Integration | 14.1.3 |
| Oracle | Retail Financial Integration | 15.0.3 |
| Oracle | Retail Financial Integration | 16.0.3 |
| Oracle | Retail Integration Bus | 14.1.3 |
Showing 50 of 77 affected configurations. See NVD for the full list.
References
- https://security.netapp.com/advisory/ntap-20210513-0009/Third Party Advisory
- https://tanzu.vmware.com/security/cve-2020-5421Vendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlNot Applicable, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210513-0009/Third Party Advisory
- https://tanzu.vmware.com/security/cve-2020-5421Vendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlNot Applicable, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-5421?
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
How severe is CVE-2020-5421?
CVE-2020-5421 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 10.74% probability of exploitation in the next 30 days.
How do I fix CVE-2020-5421?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2020-5421?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST