Vulnerability Name:

CVE-2020-5397 (CCN-174863)

Assigned:2020-01-16
Published:2020-01-16
Updated:2022-07-25
Summary:Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-352
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2020-5397

Source: XF
Type: UNKNOWN
spring-cve20205397-csrf(174863)

Source: CCN
Type: Pivotal Web site
CVE-2020-5397: CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux

Source: CONFIRM
Type: Exploit, Vendor Advisory
https://pivotal.io/security/cve-2020-5397

Source: CCN
Type: Spring Web site
Spring Professional Certification

Source: CCN
Type: IBM Security Bulletin 6243446 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Source: N/A
Type: UNKNOWN
N/A

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.2.0 and < 5.2.3)

    • Configuration 2:
  • cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.0.20)
  • OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.2)
  • OR cpe:/a:oracle:retail_predictive_application_server:15.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:16.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration_j2ee:11.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration_j2ee:11.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:healthcare_master_person_index:4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_regulatory_reporting_with_agilereporter:8.0.9.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version >= 4.0.0 and <= 4.0.12)
  • OR cpe:/a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.3.1)
  • OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:pivotal_software:spring_framework:5.2.2:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:data_risk_manager:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.disco:def:202053970000000
    V
    		CVE-2020-5397 on Ubuntu 19.04 (disco) - medium.
    2020-01-17
    oval:com.ubuntu.bionic:def:202053970000000
    V
    		CVE-2020-5397 on Ubuntu 18.04 LTS (bionic) - medium.
    2020-01-17
    oval:com.ubuntu.xenial:def:202053970000000
    V
    		CVE-2020-5397 on Ubuntu 16.04 LTS (xenial) - medium.
    2020-01-17
    BACK
    vmware spring framework *
    oracle flexcube private banking 12.1.0
    oracle insurance policy administration j2ee 10.2.0
    oracle flexcube private banking 12.0.0
    oracle insurance rules palette 10.2.0
    oracle retail service backbone 15.0
    oracle retail back office 14.1
    oracle weblogic server 12.2.1.3.0
    oracle application testing suite 13.3.0.1
    oracle retail order broker 15.0
    oracle retail order broker 16.0
    oracle retail returns management 14.1
    oracle retail central office 14.1
    oracle retail assortment planning 15.0
    oracle retail point-of-service 14.1
    oracle retail assortment planning 16.0
    oracle retail financial integration 15.0
    oracle retail financial integration 16.0
    oracle communications policy management 12.5.0
    oracle weblogic server 12.2.1.4.0
    oracle rapid planning 12.1
    oracle rapid planning 12.2
    oracle communications element manager 8.2.0
    oracle communications element manager 8.2.1
    oracle communications element manager 8.1.1
    oracle mysql enterprise monitor *
    oracle communications diameter signaling router *
    oracle retail predictive application server 15.0.3.0
    oracle retail predictive application server 16.0.3.0
    oracle communications session route manager 8.1.1
    oracle communications session route manager 8.2.0
    oracle communications session route manager 8.2.1
    oracle retail service backbone 16.0
    oracle retail integration bus 15.0.3
    oracle retail predictive application server 14.0.3
    oracle retail integration bus 16.0.3
    oracle insurance rules palette 10.2.4
    oracle insurance rules palette 11.0.2
    oracle insurance rules palette 11.1.0
    oracle insurance rules palette 11.2.0
    oracle insurance policy administration j2ee 10.2.4
    oracle insurance policy administration j2ee 11.0.2
    oracle insurance policy administration j2ee 11.1.0
    oracle insurance policy administration j2ee 11.2.0
    oracle healthcare master person index 4.0.2
    oracle financial services regulatory reporting with agilereporter 8.0.9.2.0
    oracle enterprise manager base platform 13.2.1.0
    oracle mysql enterprise monitor *
    oracle retail predictive application server 14.1.3
    oracle insurance calculation engine *
    oracle communications brm - elastic charging engine 12.0
    oracle communications brm - elastic charging engine 11.3
    pivotal_software spring framework 5.2.2
    ibm data risk manager 2.0.1
    ibm data risk manager 2.0.2
    ibm data risk manager 2.0.3
    ibm data risk manager 2.0.4
    ibm data risk manager 2.0.5
    ibm data risk manager 2.0.6
    ibm data risk manager 2.0.6.1
    ibm data risk manager 2.0.6.2