var-202001-1869
Vulnerability from variot

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. Spring Framework Contains a cross-site request forgery vulnerability.Information may be altered. Pivotal Software Spring Framework is a set of open source Java and JavaEE application frameworks from Pivotal Software in the United States. The framework helps developers build high-quality applications. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client

Show details on source website


{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202001-1869",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "flexcube private banking",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.0.0"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.2.0"
      },
      {
        "model": "enterprise manager base platform",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.2.1.0"
      },
      {
        "model": "retail back office",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "14.1"
      },
      {
        "model": "retail central office",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "14.1"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.1.0"
      },
      {
        "model": "communications diameter signaling router",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.2.2"
      },
      {
        "model": "communications diameter signaling router",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.0"
      },
      {
        "model": "retail predictive application server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.0.3.0"
      },
      {
        "model": "insurance policy administration j2ee",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.2.4"
      },
      {
        "model": "communications policy management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.5.0"
      },
      {
        "model": "retail predictive application server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.0.3.0"
      },
      {
        "model": "insurance policy administration j2ee",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.2.0"
      },
      {
        "model": "communications session route manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.2.0"
      },
      {
        "model": "communications session route manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.2.1"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.2.1.4.0"
      },
      {
        "model": "insurance policy administration j2ee",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.1.0"
      },
      {
        "model": "insurance calculation engine",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.0.0"
      },
      {
        "model": "mysql enterprise monitor",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.0"
      },
      {
        "model": "retail assortment planning",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.0"
      },
      {
        "model": "mysql enterprise monitor",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "4.0.0"
      },
      {
        "model": "communications element manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.1.1"
      },
      {
        "model": "healthcare master person index",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "4.0.2"
      },
      {
        "model": "retail integration bus",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.0.3"
      },
      {
        "model": "retail order broker",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.0"
      },
      {
        "model": "retail predictive application server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "14.1.3"
      },
      {
        "model": "retail service backbone",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "retail financial integration",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "mysql enterprise monitor",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.20"
      },
      {
        "model": "rapid planning",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.1"
      },
      {
        "model": "retail point-of-service",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "14.1"
      },
      {
        "model": "spring framework",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "vmware",
        "version": "5.2.3"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.2.1.3.0"
      },
      {
        "model": "financial services regulatory reporting with agilereporter",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.9.2.0"
      },
      {
        "model": "retail integration bus",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.0.3"
      },
      {
        "model": "retail predictive application server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "14.0.3"
      },
      {
        "model": "communications session route manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.1.1"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.2.0"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.0.2"
      },
      {
        "model": "communications brm - elastic charging engine",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.3"
      },
      {
        "model": "retail assortment planning",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "insurance calculation engine",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.3.1"
      },
      {
        "model": "insurance policy administration j2ee",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.2.0"
      },
      {
        "model": "communications element manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.2.0"
      },
      {
        "model": "spring framework",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "vmware",
        "version": "5.2.0"
      },
      {
        "model": "communications element manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.2.1"
      },
      {
        "model": "application testing suite",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.3.0.1"
      },
      {
        "model": "flexcube private banking",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.1.0"
      },
      {
        "model": "mysql enterprise monitor",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "4.0.12"
      },
      {
        "model": "retail order broker",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "retail returns management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "14.1"
      },
      {
        "model": "rapid planning",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.2"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.2.4"
      },
      {
        "model": "retail service backbone",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.0"
      },
      {
        "model": "communications brm - elastic charging engine",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.0"
      },
      {
        "model": "retail financial integration",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.0"
      },
      {
        "model": "insurance policy administration j2ee",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.0.2"
      },
      {
        "model": "spring framework",
        "scope": null,
        "trust": 0.8,
        "vendor": "pivotal",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5397"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.3",
                "versionStartIncluding": "5.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "8.0.20",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "8.2.2",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:11.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:financial_services_regulatory_reporting_with_agilereporter:8.0.9.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "4.0.12",
                "versionStartIncluding": "4.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "11.3.1",
                "versionStartIncluding": "11.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-5397"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Eric Zimanyi from Google",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2020-5397",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 4.9,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "High",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 2.6,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2020-5397",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 4.9,
            "id": "VHN-183522",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "LOW",
            "trust": 0.1,
            "vectorString": "AV:N/AC:H/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "impactScore": 1.4,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "security@pivotal.io",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "impactScore": 1.4,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.3,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2020-5397",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2020-5397",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "security@pivotal.io",
            "id": "CVE-2020-5397",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202001-841",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-183522",
            "trust": 0.1,
            "value": "LOW"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-183522"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5397"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5397"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. Spring Framework Contains a cross-site request forgery vulnerability.Information may be altered. Pivotal Software Spring Framework is a set of open source Java and JavaEE application frameworks from Pivotal Software in the United States. The framework helps developers build high-quality applications. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-5397"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "db": "VULHUB",
        "id": "VHN-183522"
      }
    ],
    "trust": 1.71
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-5397",
        "trust": 2.5
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-841",
        "trust": 0.7
      },
      {
        "db": "NSFOCUS",
        "id": "48040",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-183522",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-183522"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5397"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ]
  },
  "id": "VAR-202001-1869",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-183522"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T13:33:12.194000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "CVE-2020-5397: CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux",
        "trust": 0.8,
        "url": "https://pivotal.io/security/cve-2020-5397"
      },
      {
        "title": "Pivotal Software Spring Framework Fixes for cross-site request forgery vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=107142"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-352",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-183522"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5397"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "https://pivotal.io/security/cve-2020-5397"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-5397"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5397"
      },
      {
        "trust": 0.6,
        "url": "http://www.nsfocus.net/vulndb/48040"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/spring-framework-cross-site-request-forgery-via-cors-preflight-requests-31363"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-affected-by-multiple-vulnerabilities/"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-183522"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5397"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-183522"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5397"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-01-17T00:00:00",
        "db": "VULHUB",
        "id": "VHN-183522"
      },
      {
        "date": "2020-02-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "date": "2020-01-17T19:15:14.727000",
        "db": "NVD",
        "id": "CVE-2020-5397"
      },
      {
        "date": "2020-01-16T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-07-25T00:00:00",
        "db": "VULHUB",
        "id": "VHN-183522"
      },
      {
        "date": "2020-02-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      },
      {
        "date": "2022-07-25T18:15:30.737000",
        "db": "NVD",
        "id": "CVE-2020-5397"
      },
      {
        "date": "2022-07-26T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Spring Framework Vulnerable to cross-site request forgery",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-001404"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "cross-site request forgery",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-841"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.