CVE-2020-5421
Summary
| CVE | CVE-2020-5421 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-09-19 04:15:00 UTC |
| Updated | 2023-11-07 03:23:00 UTC |
| Description | In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Ambari | 2.7.4 | All | All | All |
| Application | Apache | Ambari | 2.7.5 | All | All | All |
| Application | Apache | Hive | 4.0.0 | All | All | All |
| Application | Netapp | Oncommand Insight | - | All | All | All |
| Application | Netapp | Snapcenter | - | All | All | All |
| Application | Netapp | Snap Creator Framework | - | All | All | All |
| Application | Oracle | Commerce Guided Search | 11.3.2 | All | All | All |
| Application | Oracle | Communications Brm | 11.3.0.9 | All | All | All |
| Application | Oracle | Communications Brm | 12.0.0.3 | All | All | All |
| Application | Oracle | Communications Design Studio | 7.3.4 | All | All | All |
| Application | Oracle | Communications Design Studio | 7.3.5 | All | All | All |
| Application | Oracle | Communications Design Studio | 7.4.0 | All | All | All |
| Application | Oracle | Communications Session Report Manager | All | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.4 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.5 | All | All | All |
| Application | Oracle | Endeca Information Discovery Integrator | 3.2.0 | All | All | All |
| Application | Oracle | Enterprise Data Quality | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Enterprise Data Quality | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | All | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.0.0 | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.1.0 | All | All | All |
| Application | Oracle | Fusion Middleware | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Fusion Middleware | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Goldengate Application Adapters | 19.1.0.0.0 | All | All | All |
| Application | Oracle | Healthcare Master Person Index | 4.0.2.5 | All | All | All |
| Application | Oracle | Hyperion Infrastructure Technology | 11.1.2.4 | All | All | All |
| Application | Oracle | Insurance Policy Administration | 10.2 | All | All | All |
| Application | Oracle | Insurance Policy Administration | 10.2.4 | All | All | All |
| Application | Oracle | Insurance Policy Administration | 11.0.2 | All | All | All |
| Application | Oracle | Insurance Policy Administration | All | All | All | All |
| Application | Oracle | Insurance Rules Palette | 10.2.0 | All | All | All |
| Application | Oracle | Insurance Rules Palette | 10.2.4 | All | All | All |
| Application | Oracle | Insurance Rules Palette | 11.0.2 | All | All | All |
| Application | Oracle | Insurance Rules Palette | All | All | All | All |
| Application | Oracle | Mysql Enterprise Monitor | 8.0.23 | All | All | All |
| Application | Oracle | Mysql Enterprise Monitor | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera P6 Enterprise Project Portfolio Management | All | All | All | All |
| Application | Oracle | Primavera P6 Enterprise Project Portfolio Management | All | All | All | All |
| Application | Oracle | Primavera P6 Enterprise Project Portfolio Management | All | All | All | All |
| Application | Oracle | Primavera P6 Enterprise Project Portfolio Management | All | All | All | All |
| Application | Oracle | Retail Assortment Planning | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Bulk Data Integration | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Customer Engagement | All | All | All | All |
| Application | Oracle | Retail Customer Management And Segmentation Foundation | All | All | All | All |
| Application | Oracle | Retail Financial Integration | 14.1.3 | All | All | All |
| Application | Oracle | Retail Financial Integration | 15.0.3 | All | All | All |
| Application | Oracle | Retail Financial Integration | 16.0.3 | All | All | All |
| Application | Oracle | Retail Integration Bus | 14.1.3 | All | All | All |
| Application | Oracle | Retail Integration Bus | 15.0.3 | All | All | All |
| Application | Oracle | Retail Integration Bus | 16.0.3 | All | All | All |
| Application | Oracle | Retail Invoice Matching | 14.0 | All | All | All |
| Application | Oracle | Retail Invoice Matching | 14.1 | All | All | All |
| Application | Oracle | Retail Merchandising System | 16.0.3 | All | All | All |
| Application | Oracle | Retail Order Broker | 15.0 | All | All | All |
| Application | Oracle | Retail Order Broker | 16.0 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 14.1 | All | All | All |
| Application | Oracle | Retail Returns Management | 14.1 | All | All | All |
| Application | Oracle | Retail Service Backbone | 14.1.3 | All | All | All |
| Application | Oracle | Retail Service Backbone | 15.0.3 | All | All | All |
| Application | Oracle | Retail Service Backbone | 16.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 15.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 16.0.6 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 17.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 18.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 19.0.2 | All | All | All |
| Application | Oracle | Storagetek Acsls | 8.5.1 | All | All | All |
| Application | Oracle | Storagetek Tape Analytics Sw Tool | 2.3 | All | All | All |
| Application | Oracle | Weblogic Server | 10.3.6.0.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.1.3.0.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Weblogic Server | 14.1.1.0.0 | All | All | All |
| Application | Pivotal Software | Spring Framework | All | All | All | All |
| Application | Pivotal Software | Spring Framework | All | All | All | All |
| Application | Pivotal Software | Spring Framework | All | All | All | All |
| Application | Pivotal Software | Spring Framework | All | All | All | All |
| Application | Pivotal Software | Spring Framework | All | All | All | All |
| Application | Pivotal Software | Spring Framework | All | All | All | All |
| Application | Vmware | Spring Framework | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| CVE-2020-5421: RFD Protection Bypass via jsessionid | Security | VMware Tanzu | CONFIRM | tanzu.vmware.com | Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| CVE-2020-5421 Spring Framework Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - January 2021 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 730118 Dell Unisphere for PowerMax Security Update for Multiple Third-Party Component Vulnerabilities
- 730119 Dell Solutions Enabler Security Update for Multiple Third-Party Component Vulnerabilities
- 730543 Atlassian Confluence Server and Confluence Data Center Reflected File Download (RFD) Vulnerability (CONFSERVER-60618)
- 980323 Java (maven) Security Update for org.springframework:spring-framework-bom (GHSA-rv39-3qh7-9v7w)