CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2020-5397

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.009

EPSS Ranking 74.9%

CVSS Severity

CVSS v3 Score 5.3

CVSS v2 Score 2.6

References

Products affected by CVE-2020-5397

Oracle » Application Testing Suite » Version: 13.3.0.1

cpe:2.3:a:oracle:application_testing_suite:13.3.0.1
Oracle » Communications Brm - Elastic Charging Engine » Version: 11.3

cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3
Oracle » Communications Brm - Elastic Charging Engine » Version: 12.0

cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0
Oracle » Communications Diameter Signaling Router » Version: 8.0.0

cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0
Oracle » Communications Diameter Signaling Router » Version: 8.0.0.0

cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0
Oracle » Communications Diameter Signaling Router » Version: 8.1

cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1
Oracle » Communications Diameter Signaling Router » Version: 8.2

cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2
Oracle » Communications Diameter Signaling Router » Version: 8.2.1

cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1
Oracle » Communications Diameter Signaling Router » Version: 8.2.2

cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2
Oracle » Communications Element Manager » Version: 8.1.1

cpe:2.3:a:oracle:communications_element_manager:8.1.1
Oracle » Communications Element Manager » Version: 8.2.0

cpe:2.3:a:oracle:communications_element_manager:8.2.0
Oracle » Communications Element Manager » Version: 8.2.1

cpe:2.3:a:oracle:communications_element_manager:8.2.1
Oracle » Communications Policy Management » Version: 12.5.0

cpe:2.3:a:oracle:communications_policy_management:12.5.0
Oracle » Communications Session Route Manager » Version: 8.1.1

cpe:2.3:a:oracle:communications_session_route_manager:8.1.1
Oracle » Communications Session Route Manager » Version: 8.2.0

cpe:2.3:a:oracle:communications_session_route_manager:8.2.0
Oracle » Communications Session Route Manager » Version: 8.2.1

cpe:2.3:a:oracle:communications_session_route_manager:8.2.1
Oracle » Enterprise Manager Base Platform » Version: 13.2.1.0

cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0
Oracle » Financial Services Regulatory Reporting With Agilereporter » Version: 8.0.9.2.0

cpe:2.3:a:oracle:financial_services_regulatory_reporting_with_agilereporter:8.0.9.2.0
Oracle » Flexcube Private Banking » Version: 12.0.0

cpe:2.3:a:oracle:flexcube_private_banking:12.0.0
Oracle » Flexcube Private Banking » Version: 12.1.0

cpe:2.3:a:oracle:flexcube_private_banking:12.1.0
Oracle » Healthcare Master Person Index » Version: 4.0.2

cpe:2.3:a:oracle:healthcare_master_person_index:4.0.2
Oracle » Insurance Calculation Engine » Version: 11.0.0

cpe:2.3:a:oracle:insurance_calculation_engine:11.0.0
Oracle » Insurance Calculation Engine » Version: 11.3.1

cpe:2.3:a:oracle:insurance_calculation_engine:11.3.1
Oracle » Insurance Policy Administration J2ee » Version: 10.2.0

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0
Oracle » Insurance Policy Administration J2ee » Version: 10.2.4

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4
Oracle » Insurance Policy Administration J2ee » Version: 11.0.2

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2
Oracle » Insurance Policy Administration J2ee » Version: 11.1.0

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0
Oracle » Insurance Policy Administration J2ee » Version: 11.2.0

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.0
Oracle » Insurance Rules Palette » Version: 10.2.0

cpe:2.3:a:oracle:insurance_rules_palette:10.2.0
Oracle » Insurance Rules Palette » Version: 10.2.4

cpe:2.3:a:oracle:insurance_rules_palette:10.2.4
Oracle » Insurance Rules Palette » Version: 11.0.2

cpe:2.3:a:oracle:insurance_rules_palette:11.0.2
Oracle » Insurance Rules Palette » Version: 11.1.0

cpe:2.3:a:oracle:insurance_rules_palette:11.1.0
Oracle » Insurance Rules Palette » Version: 11.2.0

cpe:2.3:a:oracle:insurance_rules_palette:11.2.0
Oracle » Mysql Enterprise Monitor » Version: 4.0.0

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.0
Oracle » Mysql Enterprise Monitor » Version: 4.0.0.5135

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.0.5135
Oracle » Mysql Enterprise Monitor » Version: 4.0.1

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.1
Oracle » Mysql Enterprise Monitor » Version: 4.0.11.5331

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.11.5331
Oracle » Mysql Enterprise Monitor » Version: 4.0.12

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.12
Oracle » Mysql Enterprise Monitor » Version: 4.0.2

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.2
Oracle » Mysql Enterprise Monitor » Version: 4.0.3

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.3
Oracle » Mysql Enterprise Monitor » Version: 4.0.4

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.4
Oracle » Mysql Enterprise Monitor » Version: 4.0.4.5235

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.4.5235
Oracle » Mysql Enterprise Monitor » Version: 4.0.5

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.5
Oracle » Mysql Enterprise Monitor » Version: 4.0.6

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.6
Oracle » Mysql Enterprise Monitor » Version: 4.0.6.5281

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.6.5281
Oracle » Mysql Enterprise Monitor » Version: 4.0.7

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.7
Oracle » Mysql Enterprise Monitor » Version: 4.0.8

cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.8
Oracle » Mysql Enterprise Monitor » Version: 8.0.0

cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.0
Oracle » Mysql Enterprise Monitor » Version: 8.0.0.8131

cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.0.8131
Oracle » Mysql Enterprise Monitor » Version: 8.0.1

cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.1
Oracle » Mysql Enterprise Monitor » Version: 8.0.14

cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.14
Oracle » Mysql Enterprise Monitor » Version: 8.0.18.1217

cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.18.1217
Oracle » Mysql Enterprise Monitor » Version: 8.0.2

cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.2
Oracle » Mysql Enterprise Monitor » Version: 8.0.2.8191

cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.2.8191
Oracle » Mysql Enterprise Monitor » Version: 8.0.20

cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.20
Oracle » Mysql Enterprise Monitor » Version: 8.0.3

cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.3
Oracle » Rapid Planning » Version: 12.1

cpe:2.3:a:oracle:rapid_planning:12.1
Oracle » Rapid Planning » Version: 12.2

cpe:2.3:a:oracle:rapid_planning:12.2
Oracle » Retail Assortment Planning » Version: 15.0

cpe:2.3:a:oracle:retail_assortment_planning:15.0
Oracle » Retail Assortment Planning » Version: 16.0

cpe:2.3:a:oracle:retail_assortment_planning:16.0
Oracle » Retail Back Office » Version: 14.1

cpe:2.3:a:oracle:retail_back_office:14.1
Oracle » Retail Central Office » Version: 14.1

cpe:2.3:a:oracle:retail_central_office:14.1
Oracle » Retail Financial Integration » Version: 15.0

cpe:2.3:a:oracle:retail_financial_integration:15.0
Oracle » Retail Financial Integration » Version: 16.0

cpe:2.3:a:oracle:retail_financial_integration:16.0
Oracle » Retail Integration Bus » Version: 15.0.3

cpe:2.3:a:oracle:retail_integration_bus:15.0.3
Oracle » Retail Integration Bus » Version: 16.0.3

cpe:2.3:a:oracle:retail_integration_bus:16.0.3
Oracle » Retail Order Broker » Version: 15.0

cpe:2.3:a:oracle:retail_order_broker:15.0
Oracle » Retail Order Broker » Version: 16.0

cpe:2.3:a:oracle:retail_order_broker:16.0
Oracle » Retail Point-Of-Service » Version: 14.1

cpe:2.3:a:oracle:retail_point-of-service:14.1
Oracle » Retail Predictive Application Server » Version: 14.0.3

cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3
Oracle » Retail Predictive Application Server » Version: 14.1.3

cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3
Oracle » Retail Predictive Application Server » Version: 15.0.3.0

cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.0
Oracle » Retail Predictive Application Server » Version: 16.0.3.0

cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.0
Oracle » Retail Returns Management » Version: 14.1

cpe:2.3:a:oracle:retail_returns_management:14.1
Oracle » Retail Service Backbone » Version: 15.0

cpe:2.3:a:oracle:retail_service_backbone:15.0
Oracle » Retail Service Backbone » Version: 16.0

cpe:2.3:a:oracle:retail_service_backbone:16.0
Oracle » Weblogic Server » Version: 12.2.1.3.0

cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0
Oracle » Weblogic Server » Version: 12.2.1.4.0

cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0
Vmware » Spring Framework » Version: 5.2.0

cpe:2.3:a:vmware:spring_framework:5.2.0
Vmware » Spring Framework » Version: 5.2.1

cpe:2.3:a:vmware:spring_framework:5.2.1
Vmware » Spring Framework » Version: 5.2.2

cpe:2.3:a:vmware:spring_framework:5.2.2

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2020-5397

Products

Pricing

Contact Us