In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. Reference: https://tanzu.vmware.com/security/cve-2020-5421
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1881159]
Statement: This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web. In Red Hat Gluster Storage 3, SpringFramework (embedded in rhvm-dependencies) was shipped as a part of Red Hat Gluster Storage Console that is no longer supported for use with Red Hat Gluster Storage 3.5. However, spring-web is not included in the shipped version of SpringFramework.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
A word on scoring, our scoring is currently 6.5/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N, this differs from Pivotals own of 8.7/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N and NVD of 8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Exploitability Metrics: Attack Vector Network (AV:N) - Agree here, spring-web framework applications run on a http server (tomcat, jetty, undertow etc) which is bound to the the network and is commonly used to serve up applications which are public facing Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H): We disagree here, although this is very similar to XSS which can be instigated via phishing and requires only link manipulation, the payload the end user will execute must be specific in that * It is targeted for a particular application or operating system and usually shell .bat, .sh, .ps etc * The end user must be using a browser who's configuration is to execute the file, for example firefox will open *.sh files with a text editor, in many cases this will not represent a threat to the end user. Theses are both conditions beyond the attackers control and a successful attack can not be expected without significant knowledge of the end users environment. Privileges Required Low (PR:L) - Agree here, The end user will be executing the payload with their accounts privileges User Interaction Required (UI:R) Agree here, this attack fundamentally relies on end user (web application user) interaction as opposed to user (developer/administrator) interaction in two possible ways * They must follow a malicious link * In most cases the end user must execute the downloaded file - The caveat being the malicious file could be a targeted vector for another vulnerable application eg. a malicious PDF file targeted at a known vulnerable version of a PDF reader Scope Changed (S:C) Agree here, this is a reflected attack and as such end user resources outside of the security authority (organisation or individual running the web application) are affected Impact Metrics: Confidentiality High (C:H) -> Confidentiality Low (C:L) We disagree here and believe a high impact on confidentiality is incorrect, in the envisioned scenario an end user might execute a script that manipulates their browser in such a way to disclose active credentials, however this is contingent on certain applications and configurations, some of this is factored into attack complexity but crucially the attacker does not have control over what information is obtained because of this, for local files this will also be limited in scope to the end users privileges and permissions. Integrity High (I:H) We agree here if the attack is successful the malicious file or script will execute with privileges equivalent to the end users, this means although only some files can be modified, malicious modification would present a direct, serious consequence to the end user. Availability None (A:N) We agree here there is no availability impact upon the the affected component itself (the spring web application)
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-5421