[java-sig-commits] [Bug 1881158] New: CVE-2020-5421 springframework: RFD protection bypass via jsessionid

Monday, 21 September 2020


https://bugzilla.redhat.com/show_bug.cgi?id=1881158

            Bug ID: 1881158
           Summary: CVE-2020-5421 springframework: RFD protection bypass
                    via jsessionid
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team(a)redhat.com
          Reporter: gsuckevi(a)redhat.com
                CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
                    alazarot(a)redhat.com, almorale(a)redhat.com,
                    anstephe(a)redhat.com, chazlett(a)redhat.com,
                    dblechte(a)redhat.com, dchen(a)redhat.com,
                    dfediuck(a)redhat.com, drieden(a)redhat.com,
                    eedri(a)redhat.com, etirelli(a)redhat.com,
                    extras-orphan(a)fedoraproject.org, ggaughan(a)redhat.com,
                    gmalinko(a)redhat.com, gvarsami(a)redhat.com,
                    hvyas(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com,
                    java-sig-commits(a)lists.fedoraproject.org,
                    jcoleman(a)redhat.com, jochrist(a)redhat.com,
                    jolee(a)redhat.com, jschatte(a)redhat.com,
                    jstastny(a)redhat.com, jwon(a)redhat.com,
                    kconner(a)redhat.com, krathod(a)redhat.com,
                    kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
                    lef(a)fedoraproject.org, lsurette(a)redhat.com,
                    mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com,
                    mnovotny(a)redhat.com, nwallace(a)redhat.com,
                    pjindal(a)redhat.com, puebele(a)redhat.com,
                    puntogil(a)libero.it, rrajasek(a)redhat.com,
                    rsynek(a)redhat.com, rwagner(a)redhat.com,
                    sbonazzo(a)redhat.com, sdaley(a)redhat.com,
                    sherold(a)redhat.com, tcunning(a)redhat.com,
                    tkirby(a)redhat.com, vhalbert(a)redhat.com,
                    yturgema(a)redhat.com
  Target Milestone: ---
    Classification: Other


In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18,
4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD
attacks from CVE-2015-5211 may be bypassed depending on the browser used
through the use of a jsessionid path parameter.

Reference:
https://tanzu.vmware.com/security/cve-2020-5421


-- 
You are receiving this mail because:
You are on the CC list for the bug.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[java-sig-commits] [Bug 1881158] New: CVE-2020-5421 springframework: RFD protection bypass via jsessionid