Attacker Value
Unknown
CVE-2020-5397
CVE-2020-5397
(Last updated November 27, 2024) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
5.3 Medium
Impact Score:
1.4
Exploitability Score:
3.9
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
Low
Availability (A):
None
General Information
Products
- application testing suite 13.3.0.1
- communications brm elastic charging engine 11.3
- communications brm elastic charging engine 12.0
- communications diameter signaling router
- communications element manager 8.1.1
- communications element manager 8.2.0
- communications element manager 8.2.1
- communications policy management 12.5.0
- communications session route manager 8.1.1
- communications session route manager 8.2.0
- communications session route manager 8.2.1
- enterprise manager base platform 13.2.1.0
- financial services regulatory reporting with agilereporter 8.0.9.2.0
- flexcube private banking 12.0.0
- flexcube private banking 12.1.0
- healthcare master person index 4.0.2
- insurance calculation engine
- insurance policy administration j2ee 10.2.0
- insurance policy administration j2ee 10.2.4
- insurance policy administration j2ee 11.0.2
- insurance policy administration j2ee 11.1.0
- insurance policy administration j2ee 11.2.0
- insurance rules palette 10.2.0
- insurance rules palette 10.2.4
- insurance rules palette 11.0.2
- insurance rules palette 11.1.0
- insurance rules palette 11.2.0
- mysql enterprise monitor
- rapid planning 12.1
- rapid planning 12.2
- retail assortment planning 15.0
- retail assortment planning 16.0
- retail back office 14.1
- retail central office 14.1
- retail financial integration 15.0
- retail financial integration 16.0
- retail integration bus 15.0.3
- retail integration bus 16.0.3
- retail order broker 15.0
- retail order broker 16.0
- retail point of service 14.1
- retail predictive application server 14.0.3
- retail predictive application server 14.1.3
- retail predictive application server 15.0.3.0
- retail predictive application server 16.0.3.0
- retail returns management 14.1
- retail service backbone 15.0
- retail service backbone 16.0
- spring framework
- weblogic server 12.2.1.3.0
- weblogic server 12.2.1.4.0
References
Miscellaneous
