CVE-2020-5421 (CNNVD-202009-1050)

HIGH
中文标题:
Vmware Spring Framework 安全漏洞
英文标题:
RFD Protection Bypass via jsessionid
CVSS分数: 8.7
发布时间: 2020-09-19 03:45:13
漏洞类型: 其他
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

Vmware Spring Framework是美国威睿(Vmware)公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 VMware Tanzu Spring Framework存在安全漏洞,该漏洞源于jsessionid路径参数绕过,以下产品及版本受到影响:5.2.0 - 5.2.8、5.1.0至5.1.17、5.0.0至5.0.18、4.3.0至4.3.28以及更早的不受支持的版本。

英文描述:

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

CWE类型:
(暂无数据)
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
Spring by VMware Spring Framework - < 4.3.29 - cpe:2.3:a:spring_by_vmware:spring_framework:*:*:*:*:*:*:*:*
vmware spring_framework * - - cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
oracle commerce_guided_search 11.3.2 - - cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
oracle communications_brm 11.3.0.9 - - cpe:2.3:a:oracle:communications_brm:11.3.0.9:*:*:*:*:*:*:*
oracle communications_brm 12.0.0.3 - - cpe:2.3:a:oracle:communications_brm:12.0.0.3:*:*:*:*:*:*:*
oracle communications_design_studio 7.3.4 - - cpe:2.3:a:oracle:communications_design_studio:7.3.4:*:*:*:*:*:*:*
oracle communications_design_studio 7.3.5 - - cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*
oracle communications_design_studio 7.4.0 - - cpe:2.3:a:oracle:communications_design_studio:7.4.0:*:*:*:*:*:*:*
oracle communications_session_report_manager * - - cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.3.4 - - cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.3.5 - - cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
oracle endeca_information_discovery_integrator 3.2.0 - - cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
oracle enterprise_data_quality 12.2.1.3.0 - - cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*
oracle enterprise_data_quality 12.2.1.4.0 - - cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.4.0:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure * - - cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle flexcube_private_banking 12.0.0 - - cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
oracle flexcube_private_banking 12.1.0 - - cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
oracle fusion_middleware 12.2.1.3.0 - - cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*
oracle fusion_middleware 12.2.1.4.0 - - cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*
oracle goldengate_application_adapters 19.1.0.0.0 - - cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*
oracle healthcare_master_person_index 4.0.2.5 - - cpe:2.3:a:oracle:healthcare_master_person_index:4.0.2.5:*:*:*:*:*:*:*
oracle hyperion_infrastructure_technology 11.1.2.4 - - cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
oracle insurance_policy_administration * - - cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*
oracle insurance_policy_administration 10.2 - - cpe:2.3:a:oracle:insurance_policy_administration:10.2:*:*:*:*:*:*:*
oracle insurance_policy_administration 10.2.4 - - cpe:2.3:a:oracle:insurance_policy_administration:10.2.4:*:*:*:*:*:*:*
oracle insurance_policy_administration 11.0.2 - - cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*
oracle insurance_rules_palette * - - cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*
oracle insurance_rules_palette 10.2.0 - - cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*
oracle insurance_rules_palette 10.2.4 - - cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.0.2 - - cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*
oracle mysql_enterprise_monitor * - - cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
oracle mysql_enterprise_monitor 8.0.23 - - cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.23:*:*:*:*:*:*:*
oracle primavera_gateway * - - cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_p6_enterprise_project_portfolio_management * - - cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
oracle retail_assortment_planning 16.0.3.0 - - cpe:2.3:a:oracle:retail_assortment_planning:16.0.3.0:*:*:*:*:*:*:*
oracle retail_bulk_data_integration 16.0.3.0 - - cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*
oracle retail_customer_engagement * - - cpe:2.3:a:oracle:retail_customer_engagement:*:*:*:*:*:*:*:*
oracle retail_customer_management_and_segmentation_foundation * - - cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*
oracle retail_financial_integration 14.1.3 - - cpe:2.3:a:oracle:retail_financial_integration:14.1.3:*:*:*:*:*:*:*
oracle retail_financial_integration 15.0.3 - - cpe:2.3:a:oracle:retail_financial_integration:15.0.3:*:*:*:*:*:*:*
oracle retail_financial_integration 16.0.3 - - cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*
oracle retail_integration_bus 14.1.3 - - cpe:2.3:a:oracle:retail_integration_bus:14.1.3:*:*:*:*:*:*:*
oracle retail_integration_bus 15.0.3 - - cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*
oracle retail_integration_bus 16.0.3 - - cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*
oracle retail_invoice_matching 14.0 - - cpe:2.3:a:oracle:retail_invoice_matching:14.0:*:*:*:*:*:*:*
oracle retail_invoice_matching 14.1 - - cpe:2.3:a:oracle:retail_invoice_matching:14.1:*:*:*:*:*:*:*
oracle retail_merchandising_system 16.0.3 - - cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*
oracle retail_order_broker 15.0 - - cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
oracle retail_order_broker 16.0 - - cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
oracle retail_predictive_application_server 14.1 - - cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*
oracle retail_returns_management 14.1 - - cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
oracle retail_service_backbone 14.1.3 - - cpe:2.3:a:oracle:retail_service_backbone:14.1.3:*:*:*:*:*:*:*
oracle retail_service_backbone 15.0.3 - - cpe:2.3:a:oracle:retail_service_backbone:15.0.3:*:*:*:*:*:*:*
oracle retail_service_backbone 16.0.3 - - cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 15.0.4 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 16.0.6 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 17.0.4 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 18.0.3 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 19.0.2 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
oracle storagetek_acsls 8.5.1 - - cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
oracle storagetek_tape_analytics_sw_tool 2.3 - - cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*
oracle weblogic_server 10.3.6.0.0 - - cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
oracle weblogic_server 12.1.3.0.0 - - cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.3.0 - - cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.4.0 - - cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
oracle weblogic_server 14.1.1.0.0 - - cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
netapp oncommand_insight - - - cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
netapp snap_creator_framework - - - cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
netapp snapcenter - - - cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
无标题 x_refsource_CONFIRM
cve.org
访问
[ranger-dev] 20201007 Re: Review Request 72934: RANGER-3022: Upgrade Spring framework to version 4.3.29.RELEASE mailing-list
cve.org
访问
[ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 mailing-list
cve.org
访问
[ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 mailing-list
cve.org
访问
[ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 mailing-list
cve.org
访问
[ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246) mailing-list
cve.org
访问
[ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 mailing-list
cve.org
访问
[hive-dev] 20201022 [jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 mailing-list
cve.org
访问
[hive-issues] 20201022 [jira] [Assigned] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 mailing-list
cve.org
访问
[hive-issues] 20201022 [jira] [Updated] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 mailing-list
cve.org
访问
[pulsar-commits] 20201022 [GitHub] [pulsar] Ghatage opened a new pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 mailing-list
cve.org
访问
[pulsar-commits] 20201023 [GitHub] [pulsar] Ghatage commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 mailing-list
cve.org
访问
[pulsar-commits] 20201026 [GitHub] [pulsar] wolfstudy commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 mailing-list
cve.org
访问
[pulsar-commits] 20201028 [GitHub] [pulsar] merlimat merged pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 mailing-list
cve.org
访问
[ignite-user] 20201117 Query on CVE-2020-5421 mailing-list
cve.org
访问
[ignite-user] 20201119 Re: Query on CVE-2020-5421 mailing-list
cve.org
访问
[hive-issues] 20210107 [jira] [Resolved] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 mailing-list
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
CVSS评分详情
3.0 (cna)
HIGH
8.7
CVSS向量: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
机密性
HIGH
完整性
HIGH
可用性
NONE
时间信息
发布时间:
2020-09-19 03:45:13
修改时间:
2024-09-17 03:58:43
创建时间:
2025-11-11 15:36:24
更新时间:
2025-11-11 15:56:25
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2020-5421 2025-11-11 15:20:39 2025-11-11 07:36:24
NVD nvd_CVE-2020-5421 2025-11-11 14:57:03 2025-11-11 07:44:47
CNNVD cnnvd_CNNVD-202009-1050 2025-11-11 15:10:30 2025-11-11 07:56:25
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 15:56:25
vulnerability_type: 未提取 → 其他; cnnvd_id: 未提取 → CNNVD-202009-1050; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 其他
  • cnnvd_id: 未提取 -> CNNVD-202009-1050
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:44:47
affected_products_count: 4 → 69; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • affected_products_count: 4 -> 69
  • data_sources: ['cve'] -> ['cve', 'nvd']