CVE-2020-5397

high-risk
Published 2020-01-17

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Do I need to act?

-
0.85% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Oracle Vmware

References (14)

Exploit https://pivotal.io/security/cve-2020-5397
Patch https://www.oracle.com//security-alerts/cpujul2021.html
Patch https://www.oracle.com/security-alerts/cpuapr2020.html
Patch https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
Patch https://www.oracle.com/security-alerts/cpuoct2020.html
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
Exploit https://pivotal.io/security/cve-2020-5397
Patch https://www.oracle.com//security-alerts/cpujul2021.html
Patch https://www.oracle.com/security-alerts/cpuapr2020.html
Patch https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
Patch https://www.oracle.com/security-alerts/cpuoct2020.html
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
50
/ 100
high-risk
Severity 21/34 · High
Exploitability 3/34 · Minimal
Exposure 26/34 · High