Bug 1881158 (CVE-2020-5421) - CVE-2020-5421 springframework: RFD protection bypass via jsessionid
Summary: CVE-2020-5421 springframework: RFD protection bypass via jsessionid
Alias: CVE-2020-5421
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1881159
Blocks: 1881160 2014197
TreeView+ depends on / blocked
Reported: 2020-09-21 16:31 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-20 15:44 UTC (History)
49 users (show)

Fixed In Version: springframework-5.2.9, springframework-5.1.18, springframework-5.0.19, springframework-4.3.29
Doc Type: If docs needed, set a value
Doc Text:
In Spring Framework, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Clone Of:
Last Closed: 2021-08-11 19:28:34 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:26:15 UTC

Description Guilherme de Almeida Suckevicz 2020-09-21 16:31:07 UTC
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.


Comment 1 Guilherme de Almeida Suckevicz 2020-09-21 16:31:39 UTC
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1881159]

Comment 7 Hardik Vyas 2020-09-24 12:46:38 UTC

This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web.

In Red Hat Gluster Storage 3, SpringFramework (embedded in rhvm-dependencies)  was shipped as a part of Red Hat Gluster Storage Console that is no longer supported for use with Red Hat Gluster Storage 3.5. However, spring-web is not included in the shipped version of SpringFramework.

Comment 10 Jonathan Christison 2020-09-25 14:50:02 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 11 Jonathan Christison 2020-09-30 17:22:10 UTC
A word on scoring, our scoring is currently 6.5/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N, this differs from Pivotals own of 8.7/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N and NVD of 8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability Metrics: 

Attack Vector Network (AV:N) -
Agree here, spring-web framework applications run on a http server (tomcat, jetty, undertow etc) which is bound to the the network and is commonly used to serve up applications which are public facing

Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H):

We disagree here, although this is very similar to XSS which can be instigated via phishing and requires only link manipulation, the payload the end user will execute must be specific in that 

* It is targeted for a particular application or operating system and usually shell .bat, .sh, .ps etc

* The end user must be using a browser who's configuration is to execute the file, for example firefox will open *.sh files with a text editor, in many cases this will not represent a threat to the end user.

Theses are both conditions beyond the attackers control and a successful attack can not be expected without significant knowledge of the end users environment. 

Privileges Required Low (PR:L) -
Agree here, The end user will be executing the payload with their accounts privileges

User Interaction Required (UI:R)
Agree here, this attack fundamentally relies on end user (web application user) interaction as opposed to user (developer/administrator) interaction in two possible ways 

* They must follow a malicious link
* In most cases the end user must execute the downloaded file
    - The caveat being the malicious file could be a targeted vector for another vulnerable application 
    eg. a malicious PDF file targeted at a known vulnerable version of a PDF reader

Scope Changed (S:C)

Agree here, this is a reflected attack and as such end user resources outside of the security authority (organisation or individual running the web application) are affected 
Impact Metrics:

Confidentiality High (C:H) -> Confidentiality Low (C:L) 

We disagree here and believe a high impact on confidentiality is incorrect, in the envisioned scenario an end user might execute a script that manipulates their browser in such a way to disclose active credentials, however this is contingent on certain applications and configurations, some of this is factored into attack complexity but crucially the attacker does not have control over what information is obtained because of this, for local files this will also be limited in scope to the end users privileges and permissions.

Integrity High (I:H) 

We agree here if the attack is successful the malicious file or script will execute with privileges equivalent to the end users, this means although only some files can be modified, malicious modification would present a direct, serious consequence to the end user.

Availability None (A:N)

We agree here there is no availability impact upon the the affected component itself (the spring web application)

Comment 18 errata-xmlrpc 2021-08-11 18:26:12 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Comment 19 Product Security DevOps Team 2021-08-11 19:28:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.