Lucene search

K
cvelistPivotalCVELIST:CVE-2020-5421
HistorySep 17, 2020 - 12:00 a.m.

CVE-2020-5421 RFD Protection Bypass via jsessionid

2020-09-1700:00:00
pivotal
www.cve.org

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

7.7 High

AI Score

Confidence

High

0.153 Low

EPSS

Percentile

95.9%

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

CNA Affected

[
  {
    "product": "Spring Framework",
    "vendor": "Spring by VMware",
    "versions": [
      {
        "lessThan": "4.3.29",
        "status": "affected",
        "version": "4.3",
        "versionType": "custom"
      },
      {
        "lessThan": "5.0.19",
        "status": "affected",
        "version": "5.0",
        "versionType": "custom"
      },
      {
        "lessThan": "5.1.18",
        "status": "affected",
        "version": "5.1",
        "versionType": "custom"
      },
      {
        "lessThan": "5.2.9",
        "status": "affected",
        "version": "5.2",
        "versionType": "custom"
      }
    ]
  }
]

References

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

7.7 High

AI Score

Confidence

High

0.153 Low

EPSS

Percentile

95.9%