Candidate: CVE-2020-5397
PublicDate: 2020-01-17 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5397
 https://pivotal.io/security/cve-2020-5397
Description:
 Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF
 attacks through CORS preflight requests that target Spring MVC
 (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.
 Only non-authenticated endpoints are vulnerable because preflight requests
 should not include credentials and therefore requests should fail
 authentication. However a notable exception to this are Chrome based
 browsers when using client certificates for authentication since Chrome
 sends TLS client certificates in CORS preflight requests in violation of
 spec requirements. No HTTP body can be sent or received as a result of this
 attack.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]


Patches_libspring-java:
upstream_libspring-java: needs-triage
precise/esm_libspring-java: DNE
trusty_libspring-java: ignored (out of standard support)
trusty/esm_libspring-java: needs-triage
xenial_libspring-java: ignored (end of standard support, was needs-triage)
bionic_libspring-java: needs-triage
disco_libspring-java: ignored (reached end-of-life)
eoan_libspring-java: ignored (reached end-of-life)
focal_libspring-java: needs-triage
groovy_libspring-java: ignored (reached end-of-life)
hirsute_libspring-java: ignored (reached end-of-life)
impish_libspring-java: needs-triage
jammy_libspring-java: needs-triage
devel_libspring-java: needs-triage