https://bugzilla.redhat.com/show_bug.cgi?id=1881158
Bug ID: 1881158 Summary: CVE-2020-5421 springframework: RFD protection bypass via jsessionid Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, chazlett@redhat.com, dblechte@redhat.com, dchen@redhat.com, dfediuck@redhat.com, drieden@redhat.com, eedri@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, hvyas@redhat.com, ibek@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jochrist@redhat.com, jolee@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, ldimaggi@redhat.com, lef@fedoraproject.org, lsurette@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mnovotny@redhat.com, nwallace@redhat.com, pjindal@redhat.com, puebele@redhat.com, puntogil@libero.it, rrajasek@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sbonazzo@redhat.com, sdaley@redhat.com, sherold@redhat.com, tcunning@redhat.com, tkirby@redhat.com, vhalbert@redhat.com, yturgema@redhat.com Target Milestone: --- Classification: Other
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Reference: https://tanzu.vmware.com/security/cve-2020-5421