Vulnerability Description
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Framework | < 4.3.29 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Brm | 11.3.0.9 |
| Oracle | Communications Design Studio | 7.3.4 |
| Oracle | Communications Session Report Manager | >= 8.2.1, <= 8.2.2.1 |
| Oracle | Communications Unified Inventory Management | 7.3.4 |
| Oracle | Endeca Information Discovery Integrator | 3.2.0 |
| Oracle | Enterprise Data Quality | 12.2.1.3.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.0 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Fusion Middleware | 12.2.1.3.0 |
| Oracle | Goldengate Application Adapters | 19.1.0.0.0 |
| Oracle | Healthcare Master Person Index | 4.0.2.5 |
| Oracle | Hyperion Infrastructure Technology | 11.1.2.4 |
| Oracle | Insurance Policy Administration | >= 11.1.0, <= 11.3.0 |
| Oracle | Insurance Rules Palette | >= 11.1.0, <= 11.3.0 |
| Oracle | Mysql Enterprise Monitor | <= 8.0.22 |
| Oracle | Primavera Gateway | >= 16.2.0, <= 16.2.11 |
| Oracle | Primavera P6 Enterprise Project Portfolio Management | >= 16.1.0, <= 16.2.20 |
| Oracle | Retail Assortment Planning | 16.0.3.0 |
References
- https://lists.apache.org/thread.html/r1c679c43fa4f7846d748a937955c7921436d1b3154
- https://lists.apache.org/thread.html/r1eccdbd7986618a7319ee7a533bd9d9bf6e8678e59
- https://lists.apache.org/thread.html/r3589ed0d18edeb79028615080d5a0e8878856436bb
- https://lists.apache.org/thread.html/r503e64b43a57fd68229cac4a869d1a9a2eac9e75f8
- https://lists.apache.org/thread.html/r5c95eff679dfc642e9e4ab5ac6d202248a59cb1e94
- https://lists.apache.org/thread.html/r7e6a213eea7f04fc6d9e3bd6eb8d68c4df92a22e95
- https://lists.apache.org/thread.html/r8b496b1743d128e6861ee0ed3c3c48cc56c505b38f
- https://lists.apache.org/thread.html/r918caad55dcc640a16753b00d8d6acb90b4e36de4b
- https://lists.apache.org/thread.html/r9f13cccb214495e14648d2c9b8f2c6072fd5219e74
- https://lists.apache.org/thread.html/ra889d95141059c6cbe77dd80249bb488ae53b274b5
- https://lists.apache.org/thread.html/raf7ca57033e537e4f9d7df7f192fa6968c1e49409b
- https://lists.apache.org/thread.html/rb18ed999153ef0f0cb7af03efe0046c42c7242fd77
- https://lists.apache.org/thread.html/rc9efaf6db98bee19db1bc911d0fa442287dac5cb22
- https://lists.apache.org/thread.html/rd462a8b0dfab4c15e67c0672cd3c211ecd0e4f018f
- https://lists.apache.org/thread.html/re014a49d77f038ba70e5e9934d400af6653e8c9ac1
FAQ
What is CVE-2020-5421?
CVE-2020-5421 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depen...
How severe is CVE-2020-5421?
CVE-2020-5421 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5421?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Framework, Oracle Commerce Guided Search, Oracle Communications Brm, Oracle Communications Design Studio, Oracle Communications Session Report Manager.