Veracode Vulnerability DatabaseVERACODE:22313Cross-Site Request Forgery (CSRF)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
spring-web is vulnerable to cross-site request forgery (CSRF). The CORS preflight requests does not validate the Origin header and allows for CSRF attacks. Non-authenticated endpoints are vulnerable except for Chrome-based browsers using client certificates authentication.
| CPE | Name | Operator | Version |
|---|---|---|---|
| spring web | le | 5.2.2.RELEASE | |
| spring web | le | 5.2.2.RELEASE |
References
github.com/spring-projects/spring-framework/issues/24327
pivotal.io/security/cve-2020-5397
spring.io/blog/2020/01/16/spring-framework-5-2-3-5-1-13-5-0-16-and-4-3-26-releases
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/security-alerts/cpujul2020.html
www.oracle.com/security-alerts/cpujul2022.html
www.oracle.com/security-alerts/cpuoct2020.html
www.oracle.com/security-alerts/cpuoct2021.html
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N