CVE-2020-5397

Published on: 01/17/2020 12:00:00 AM UTC

Last Modified on: 07/25/2022 07:09:12 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Certain versions of Application Testing Suite from Oracle contain the following vulnerability:

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

  • CVE-2020-5397 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as MEDIUM severity.
  • Affected Vendor/Software: URL Logo Spring - Spring Framework version v5.2.3.RELEASE

CVSS3 Score: 5.3 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE LOW NONE

CVSS2 Score: 2.6 - LOW

Access
Vector
Access
Complexity
Authentication
NETWORK HIGH NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
Oracle Critical Patch Update Advisory - July 2020 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - October 2020 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - July 2021 www.oracle.com
text/html
URL Logo MISC www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - October 2021 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - April 2020 www.oracle.com
text/html
URL Logo N/A N/A
Oracle Critical Patch Update Advisory - July 2022 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpujul2022.html
CVE-2020-5397: CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux | Security | VMware Tanzu Exploit
Vendor Advisory
pivotal.io
text/html
URL Logo CONFIRM pivotal.io/security/cve-2020-5397

Related QID Numbers

  • 980300 Java (maven) Security Update for org.springframework:spring-webflux (GHSA-7pm4-g2qj-j85x)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationOracleApplication Testing Suite13.3.0.1AllAllAll
ApplicationOracleCommunications Brm - Elastic Charging Engine11.3AllAllAll
ApplicationOracleCommunications Brm - Elastic Charging Engine12.0AllAllAll
ApplicationOracleCommunications Diameter Signaling RouterAllAllAllAll
ApplicationOracleCommunications Element Manager8.1.1AllAllAll
ApplicationOracleCommunications Element Manager8.2.0AllAllAll
ApplicationOracleCommunications Element Manager8.2.1AllAllAll
ApplicationOracleCommunications Policy Management12.5.0AllAllAll
ApplicationOracleCommunications Session Route Manager8.1.1AllAllAll
ApplicationOracleCommunications Session Route Manager8.2.0AllAllAll
ApplicationOracleCommunications Session Route Manager8.2.1AllAllAll
ApplicationOracleEnterprise Manager Base Platform13.2.1.0AllAllAll
ApplicationOracleFinancial Services Regulatory Reporting With Agilereporter8.0.9.2.0AllAllAll
ApplicationOracleFlexcube Private Banking12.0.0AllAllAll
ApplicationOracleFlexcube Private Banking12.1.0AllAllAll
ApplicationOracleHealthcare Master Person Index4.0.2AllAllAll
ApplicationOracleInsurance Calculation EngineAllAllAllAll
ApplicationOracleInsurance Policy Administration J2ee10.2.0AllAllAll
ApplicationOracleInsurance Policy Administration J2ee10.2.4AllAllAll
ApplicationOracleInsurance Policy Administration J2ee11.0.2AllAllAll
ApplicationOracleInsurance Policy Administration J2ee11.1.0AllAllAll
ApplicationOracleInsurance Policy Administration J2ee11.2.0AllAllAll
ApplicationOracleInsurance Rules Palette10.2.0AllAllAll
ApplicationOracleInsurance Rules Palette10.2.4AllAllAll
ApplicationOracleInsurance Rules Palette11.0.2AllAllAll
ApplicationOracleInsurance Rules Palette11.1.0AllAllAll
ApplicationOracleInsurance Rules Palette11.2.0AllAllAll
ApplicationOracleMysql Enterprise MonitorAllAllAllAll
ApplicationOracleMysql Enterprise MonitorAllAllAllAll
ApplicationOracleNsurance Rules Palette10.2.0AllAllAll
ApplicationOracleNsurance Rules Palette10.2.4AllAllAll
ApplicationOracleNsurance Rules Palette11.0.2AllAllAll
ApplicationOracleNsurance Rules Palette11.1.0AllAllAll
ApplicationOracleNsurance Rules Palette11.2.0AllAllAll
ApplicationOracleRapid Planning12.1AllAllAll
ApplicationOracleRapid Planning12.2AllAllAll
ApplicationOracleRetail Assortment Planning15.0AllAllAll
ApplicationOracleRetail Assortment Planning16.0AllAllAll
ApplicationOracleRetail Back Office14.1AllAllAll
ApplicationOracleRetail Central Office14.1AllAllAll
ApplicationOracleRetail Financial Integration15.0AllAllAll
ApplicationOracleRetail Financial Integration16.0AllAllAll
ApplicationOracleRetail Integration Bus15.0.3AllAllAll
ApplicationOracleRetail Integration Bus16.0.3AllAllAll
ApplicationOracleRetail Order Broker15.0AllAllAll
ApplicationOracleRetail Order Broker16.0AllAllAll
ApplicationOracleRetail Point-of-service14.1AllAllAll
ApplicationOracleRetail Predictive Application Server14.0.3AllAllAll
ApplicationOracleRetail Predictive Application Server14.1.3AllAllAll
ApplicationOracleRetail Predictive Application Server15.0.3.0AllAllAll
ApplicationOracleRetail Predictive Application Server16.0.3.0AllAllAll
ApplicationOracleRetail Returns Management14.1AllAllAll
ApplicationOracleRetail Service Backbone15.0AllAllAll
ApplicationOracleRetail Service Backbone16.0AllAllAll
ApplicationOracleWeblogic Server12.2.1.3.0AllAllAll
ApplicationOracleWeblogic Server12.2.1.4.0AllAllAll
ApplicationPivotal SoftwareSpring FrameworkAllAllAllAll
ApplicationPivotal SoftwareSpring FrameworkAllAllAllAll
ApplicationVmwareSpring FrameworkAllAllAllAll
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_with_agilereporter:8.0.9.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:healthcare_master_person_index:4.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:insurance_rules_palette:11.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:nsurance_rules_palette:10.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:nsurance_rules_palette:10.2.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:nsurance_rules_palette:11.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:nsurance_rules_palette:11.1.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:nsurance_rules_palette:11.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @LinInfoSec Spring - CVE-2020-5397: pivotal.io/security/cve-2… 2022-04-11 19:00:47
© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report