Fluid Attacks Database

Description

Improper Input Validation in Spring Framework In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	libspring-java	>=0 <4.3.30-1	4.3.30-1
maven	org.springframework:spring-messaging	>=0 <=4.2.9 \|\| >=4.3.0 <=4.3.28 \|\| >=5.0.0 <=5.0.18 \|\| >=5.1.0 <=5.1.17 \|\| >=5.2.0 <=5.2.8	4.3.29.release, 5.0.19.release, 5.1.18.release, 5.2.9.release
maven	org.springframework:spring-core	>=0 <=4.2.9 \|\| >=4.3.0 <=4.3.28 \|\| >=5.0.0 <=5.0.18 \|\| >=5.1.0 <=5.1.17 \|\| >=5.2.0 <=5.2.8	4.3.29.release, 5.0.19.release, 5.1.18.release, 5.2.9.release
maven	org.springframework:spring-webflux	>=0 <=4.2.9 \|\| >=4.3.0 <=4.3.28 \|\| >=5.0.0 <=5.0.18 \|\| >=5.1.0 <=5.1.17 \|\| >=5.2.0 <=5.2.8	5.0.19.release, 5.1.18.release, 5.2.9.release
maven	org.springframework:spring-webmvc	>=0 <=4.2.9 \|\| >=4.3.0 <=4.3.28 \|\| >=5.0.0 <=5.0.18 \|\| >=5.1.0 <=5.1.17 \|\| >=5.2.0 <=5.2.8	4.3.29.release, 5.0.19.release, 5.1.18.release, 5.2.9.release
debian 14	libspring-java	>=0 <4.3.30-1	4.3.30-1
maven	org.springframework:spring-framework-bom	>=5.2.0 <5.2.9 \|\| >=5.1.0 <5.1.18 \|\| >=5.0.0 <5.0.19 \|\| >=0 <4.3.29	5.2.9, 5.1.18, 5.0.19, 4.3.29
maven	org.springframework:spring-oxm	>=0 <=4.2.9 \|\| >=4.3.0 <=4.3.28 \|\| >=5.0.0 <=5.0.18 \|\| >=5.1.0 <=5.1.17 \|\| >=5.2.0 <=5.2.8	4.3.29.release, 5.0.19.release, 5.1.18.release, 5.2.9.release
debian 12	libspring-java	>=0 <4.3.30-1	4.3.30-1
debian 11	libspring-java	>=0 <4.3.30-1	4.3.30-1

1-10 of 11

Aliases

1. CVE-2020-54212. NVD-2020-54213. OSV-DEBIAN-2020-54214. OSV-2020-54215. GCVE-2020-54216. SECURITY-TRACKER-CVE-2020-54217. TANZU-cve-2020-5421

References