Spring Security Advisories

RSS feed

CVE-2020-5421: RFD Protection Bypass via jsessionid

HIGH | SEPTEMBER 17, 2020 | CVE-2020-5421

Description

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Affected Spring Products and Versions

  • Spring Framework
    • 5.2.0 to 5.2.8
    • 5.1.0 to 5.1.17
    • 5.0.0 to 5.0.18
    • 4.3.0 to 4.3.28
    • Older, unsupported versions

Mitigation

  • Spring Framework
    • 5.2.9
    • 5.1.18
    • 5.0.19
    • 4.3.29

Credit

This issue was identified and responsibly reported by Keitaro Yamazaki / Ierae Security.

References

History

  • 2020-09-17: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all