CVE-2020-5397
CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.
Spring Framework, versiones 5.2.x anteriores a 5.2.3 son vulnerables a los ataques de tipo CSRF por medio de peticiones de verificación previa CORS que van dirigidas a los endpoints Spring MVC (módulo spring-webmvc) o Spring WebFlux (módulo spring-webflux). Solo los endpoints no autenticados son vulnerables porque las peticiones de verificación previa no deben incluir credenciales y, por lo tanto, las peticiones deben de presentar un fallo en la autenticación. Sin embargo, una excepción notable para esto son los navegadores basados en Chrome cuando se usan certificados de cliente para la autenticación, ya que Chrome envía certificados de cliente TLS en peticiones de verificación previa CORS en violación de los requerimientos de las especificaciones. Ningún cuerpo de HTTP puede ser enviado o recibido como un resultado de este ataque.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-01-03 CVE Reserved
- 2020-01-17 CVE Published
- 2023-12-24 EPSS Updated
- 2024-09-17 CVE Updated
- 2024-09-17 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://www.oracle.com/security-alerts/cpujul2022.html | X_refsource_misc |
|
| URL | Date | SRC |
|---|---|---|
| https://pivotal.io/security/cve-2020-5397 | 2024-09-17 |
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2022-07-25 | |
| https://www.oracle.com/security-alerts/cpuapr2020.html | 2022-07-25 | |
| https://www.oracle.com/security-alerts/cpujul2020.html | 2022-07-25 | |
| https://www.oracle.com/security-alerts/cpuoct2020.html | 2022-07-25 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2022-07-25 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vmware Search vendor "Vmware" | Spring Framework Search vendor "Vmware" for product "Spring Framework" | >= 5.2.0 < 5.2.3 Search vendor "Vmware" for product "Spring Framework" and version " >= 5.2.0 < 5.2.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite" | 13.3.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | 11.3 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "11.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | 12.0 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "12.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | >= 8.0.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0 <= 8.2.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | 8.1.1 Search vendor "Oracle" for product "Communications Element Manager" and version "8.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | 8.2.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | 8.2.1 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Policy Management Search vendor "Oracle" for product "Communications Policy Management" | 12.5.0 Search vendor "Oracle" for product "Communications Policy Management" and version "12.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | 8.1.1 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | 8.2.0 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | 8.2.1 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.2.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.2.1.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.2.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Regulatory Reporting With Agilereporter Search vendor "Oracle" for product "Financial Services Regulatory Reporting With Agilereporter" | 8.0.9.2.0 Search vendor "Oracle" for product "Financial Services Regulatory Reporting With Agilereporter" and version "8.0.9.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.0.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Healthcare Master Person Index Search vendor "Oracle" for product "Healthcare Master Person Index" | 4.0.2 Search vendor "Oracle" for product "Healthcare Master Person Index" and version "4.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Calculation Engine Search vendor "Oracle" for product "Insurance Calculation Engine" | >= 11.0.0 <= 11.3.1 Search vendor "Oracle" for product "Insurance Calculation Engine" and version " >= 11.0.0 <= 11.3.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration J2ee Search vendor "Oracle" for product "Insurance Policy Administration J2ee" | 10.2.0 Search vendor "Oracle" for product "Insurance Policy Administration J2ee" and version "10.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration J2ee Search vendor "Oracle" for product "Insurance Policy Administration J2ee" | 10.2.4 Search vendor "Oracle" for product "Insurance Policy Administration J2ee" and version "10.2.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration J2ee Search vendor "Oracle" for product "Insurance Policy Administration J2ee" | 11.0.2 Search vendor "Oracle" for product "Insurance Policy Administration J2ee" and version "11.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration J2ee Search vendor "Oracle" for product "Insurance Policy Administration J2ee" | 11.1.0 Search vendor "Oracle" for product "Insurance Policy Administration J2ee" and version "11.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration J2ee Search vendor "Oracle" for product "Insurance Policy Administration J2ee" | 11.2.0 Search vendor "Oracle" for product "Insurance Policy Administration J2ee" and version "11.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette" | 10.2.0 Search vendor "Oracle" for product "Insurance Rules Palette" and version "10.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette" | 10.2.4 Search vendor "Oracle" for product "Insurance Rules Palette" and version "10.2.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette" | 11.0.2 Search vendor "Oracle" for product "Insurance Rules Palette" and version "11.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette" | 11.1.0 Search vendor "Oracle" for product "Insurance Rules Palette" and version "11.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette" | 11.2.0 Search vendor "Oracle" for product "Insurance Rules Palette" and version "11.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor" | >= 4.0.0 <= 4.0.12 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " >= 4.0.0 <= 4.0.12" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor" | >= 8.0.0 <= 8.0.20 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " >= 8.0.0 <= 8.0.20" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rapid Planning Search vendor "Oracle" for product "Rapid Planning" | 12.1 Search vendor "Oracle" for product "Rapid Planning" and version "12.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rapid Planning Search vendor "Oracle" for product "Rapid Planning" | 12.2 Search vendor "Oracle" for product "Rapid Planning" and version "12.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Assortment Planning Search vendor "Oracle" for product "Retail Assortment Planning" | 15.0 Search vendor "Oracle" for product "Retail Assortment Planning" and version "15.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Assortment Planning Search vendor "Oracle" for product "Retail Assortment Planning" | 16.0 Search vendor "Oracle" for product "Retail Assortment Planning" and version "16.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Back Office Search vendor "Oracle" for product "Retail Back Office" | 14.1 Search vendor "Oracle" for product "Retail Back Office" and version "14.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Central Office Search vendor "Oracle" for product "Retail Central Office" | 14.1 Search vendor "Oracle" for product "Retail Central Office" and version "14.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration" | 15.0 Search vendor "Oracle" for product "Retail Financial Integration" and version "15.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration" | 16.0 Search vendor "Oracle" for product "Retail Financial Integration" and version "16.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus" | 15.0.3 Search vendor "Oracle" for product "Retail Integration Bus" and version "15.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus" | 16.0.3 Search vendor "Oracle" for product "Retail Integration Bus" and version "16.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker" | 15.0 Search vendor "Oracle" for product "Retail Order Broker" and version "15.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker" | 16.0 Search vendor "Oracle" for product "Retail Order Broker" and version "16.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Point-of-service Search vendor "Oracle" for product "Retail Point-of-service" | 14.1 Search vendor "Oracle" for product "Retail Point-of-service" and version "14.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Predictive Application Server Search vendor "Oracle" for product "Retail Predictive Application Server" | 14.0.3 Search vendor "Oracle" for product "Retail Predictive Application Server" and version "14.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Predictive Application Server Search vendor "Oracle" for product "Retail Predictive Application Server" | 14.1.3 Search vendor "Oracle" for product "Retail Predictive Application Server" and version "14.1.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Predictive Application Server Search vendor "Oracle" for product "Retail Predictive Application Server" | 15.0.3.0 Search vendor "Oracle" for product "Retail Predictive Application Server" and version "15.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Predictive Application Server Search vendor "Oracle" for product "Retail Predictive Application Server" | 16.0.3.0 Search vendor "Oracle" for product "Retail Predictive Application Server" and version "16.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Returns Management Search vendor "Oracle" for product "Retail Returns Management" | 14.1 Search vendor "Oracle" for product "Retail Returns Management" and version "14.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 15.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 16.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0" | - |
Affected
| ||||||