CVE-2020-5397: CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux
First published: Fri Jan 17 2020(Updated: )
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.
Credit: security@pivotal.io security@pivotal.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.springframework:spring-webflux | >=5.2.0<5.2.3 | 5.2.3 |
| maven/org.springframework:spring-webmvc | >=5.2.0<5.2.3 | 5.2.3 |
| VMware Spring Framework | >=5.2.0<5.2.3 | |
| Oracle Application Testing Suite | =13.3.0.1 | |
| Oracle Communications Brm - Elastic Charging Engine | =11.3 | |
| Oracle Communications Brm - Elastic Charging Engine | =12.0 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0<=8.2.2 | |
| Oracle Communications Element Manager | =8.1.1 | |
| Oracle Communications Element Manager | =8.2.0 | |
| Oracle Communications Element Manager | =8.2.1 | |
| Oracle Communications Policy Management | =12.5.0 | |
| Oracle Communications Session Route Manager | =8.1.1 | |
| Oracle Communications Session Route Manager | =8.2.0 | |
| Oracle Communications Session Route Manager | =8.2.1 | |
| Oracle Enterprise Manager Base Platform | =13.2.1.0 | |
| Oracle Financial Services Regulatory Reporting With Agilereporter | =8.0.9.2.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Healthcare Master Person Index | =4.0.2 | |
| Oracle Insurance Calculation Engine | >=11.0.0<=11.3.1 | |
| Oracle Insurance Policy Administration J2EE | =10.2.0 | |
| Oracle Insurance Policy Administration J2EE | =10.2.4 | |
| Oracle Insurance Policy Administration J2EE | =11.0.2 | |
| Oracle Insurance Policy Administration J2EE | =11.1.0 | |
| Oracle Insurance Policy Administration J2EE | =11.2.0 | |
| Oracle Insurance Rules Palette | =10.2.0 | |
| Oracle Insurance Rules Palette | =10.2.4 | |
| Oracle Insurance Rules Palette | =11.0.2 | |
| Oracle Insurance Rules Palette | =11.1.0 | |
| Oracle Insurance Rules Palette | =11.2.0 | |
| Oracle Mysql Enterprise Monitor | >=4.0.0<=4.0.12 | |
| Oracle Mysql Enterprise Monitor | >=8.0.0<=8.0.20 | |
| Oracle Rapid Planning | =12.1 | |
| Oracle Rapid Planning | =12.2 | |
| Oracle Retail Assortment Planning | =15.0 | |
| Oracle Retail Assortment Planning | =16.0 | |
| Oracle Retail Back Office | =14.1 | |
| Oracle Retail Central Office | =14.1 | |
| Oracle Retail Financial Integration | =15.0 | |
| Oracle Retail Financial Integration | =16.0 | |
| Oracle Retail Integration Bus | =15.0.3 | |
| Oracle Retail Integration Bus | =16.0.3 | |
| Oracle Retail Order Broker | =15.0 | |
| Oracle Retail Order Broker | =16.0 | |
| Oracle Retail Point-of-Service | =14.1 | |
| Oracle Retail Predictive Application Server | =14.0.3 | |
| Oracle Retail Predictive Application Server | =14.1.3 | |
| Oracle Retail Predictive Application Server | =15.0.3.0 | |
| Oracle Retail Predictive Application Server | =16.0.3.0 | |
| Oracle Retail Returns Management | =14.1 | |
| Oracle Retail Service Backbone | =15.0 | |
| Oracle Retail Service Backbone | =16.0 | |
| Oracle WebLogic Server | =12.2.1.3.0 | |
| Oracle WebLogic Server | =12.2.1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://pivotal.io/security/cve-2020-5397
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-5397
- https://github.com/spring-projects/spring-framework
- https://github.com/spring-projects/spring-framework/commit/bc7d01048579430b4b2df668178809b63d3f1929
- https://github.com/advisories/GHSA-7pm4-g2qj-j85x (Advisory)
Frequently Asked Questions
What is the severity of CVE-2020-5397?
The severity of CVE-2020-5397 is medium with a severity value of 5.3.
Which software versions are affected by CVE-2020-5397?
Spring Framework versions 5.2.x prior to 5.2.3, VMware Spring Framework, and Oracle Application Testing Suite are affected by CVE-2020-5397.
How does CVE-2020-5397 impact Spring Framework?
CVE-2020-5397 allows CSRF attacks through CORS preflight requests targeting Spring MVC or Spring WebFlux endpoints.
What are the reference links for CVE-2020-5397?
The reference links for CVE-2020-5397 are: [Link 1](https://pivotal.io/security/cve-2020-5397), [Link 2](https://www.oracle.com//security-alerts/cpujul2021.html), [Link 3](https://www.oracle.com/security-alerts/cpuapr2020.html).
What is the Common Weakness Enumeration (CWE) for CVE-2020-5397?
The Common Weakness Enumeration (CWE) for CVE-2020-5397 is CWE-352.
- agent/type
- agent/remedy
- agent/weakness
- agent/description
- agent/severity
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7pm4-g2qj-j85x
- alias/CVE-2020-5397
- agent/software-canonical-lookup
- agent/references
- collector/github-advisory
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/tags
- agent/event
- agent/first-publish-date
- package-manager/maven
- vendor/vmware
- canonical/vmware spring framework
- version/vmware spring framework/5.2.0
- vendor/oracle
- canonical/oracle application testing suite
- version/oracle application testing suite/13.3.0.1
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/11.3
- version/oracle communications brm - elastic charging engine/12.0
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0
- version/oracle communications diameter signaling router/8.2.2
- canonical/oracle communications element manager
- version/oracle communications element manager/8.1.1
- version/oracle communications element manager/8.2.0
- version/oracle communications element manager/8.2.1
- canonical/oracle communications policy management
- version/oracle communications policy management/12.5.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.1.1
- version/oracle communications session route manager/8.2.0
- version/oracle communications session route manager/8.2.1
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.2.1.0
- canonical/oracle financial services regulatory reporting with agilereporter
- version/oracle financial services regulatory reporting with agilereporter/8.0.9.2.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle healthcare master person index
- version/oracle healthcare master person index/4.0.2
- canonical/oracle insurance calculation engine
- version/oracle insurance calculation engine/11.0.0
- version/oracle insurance calculation engine/11.3.1
- canonical/oracle insurance policy administration j2ee
- version/oracle insurance policy administration j2ee/10.2.0
- version/oracle insurance policy administration j2ee/10.2.4
- version/oracle insurance policy administration j2ee/11.0.2
- version/oracle insurance policy administration j2ee/11.1.0
- version/oracle insurance policy administration j2ee/11.2.0
- canonical/oracle insurance rules palette
- version/oracle insurance rules palette/10.2.0
- version/oracle insurance rules palette/10.2.4
- version/oracle insurance rules palette/11.0.2
- version/oracle insurance rules palette/11.1.0
- version/oracle insurance rules palette/11.2.0
- canonical/oracle mysql enterprise monitor
- version/oracle mysql enterprise monitor/4.0.0
- version/oracle mysql enterprise monitor/4.0.12
- version/oracle mysql enterprise monitor/8.0.0
- version/oracle mysql enterprise monitor/8.0.20
- canonical/oracle rapid planning
- version/oracle rapid planning/12.1
- version/oracle rapid planning/12.2
- canonical/oracle retail assortment planning
- version/oracle retail assortment planning/15.0
- version/oracle retail assortment planning/16.0
- canonical/oracle retail back office
- version/oracle retail back office/14.1
- canonical/oracle retail central office
- version/oracle retail central office/14.1
- canonical/oracle retail financial integration
- version/oracle retail financial integration/15.0
- version/oracle retail financial integration/16.0
- canonical/oracle retail integration bus
- version/oracle retail integration bus/15.0.3
- version/oracle retail integration bus/16.0.3
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- version/oracle retail order broker/16.0
- canonical/oracle retail point-of-service
- version/oracle retail point-of-service/14.1
- canonical/oracle retail predictive application server
- version/oracle retail predictive application server/14.0.3
- version/oracle retail predictive application server/14.1.3
- version/oracle retail predictive application server/15.0.3.0
- version/oracle retail predictive application server/16.0.3.0
- canonical/oracle retail returns management
- version/oracle retail returns management/14.1
- canonical/oracle retail service backbone
- version/oracle retail service backbone/15.0
- version/oracle retail service backbone/16.0
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3.0
- version/oracle weblogic server/12.2.1.4.0