CVE-2020-5397 MEDIUM

CVE-2020-5397: CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux

Vendor Spring
Product Spring Framework
Weakness CWE-352 · CSRF
Published January 17, 2020
Last update September 17, 2024
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Key dates

02Disclosure timeline

January 17, 2020 CVE published
September 17, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-1503 login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting CVE-2025-8592 Inspiro <= 2.1.2 - Cross-Site Request Forgery to Arbitrary Plugin Installation CVE-2023-1871 YourChannel <= 1.2.4 - Cross-Site Request Forgery to Plugin Language Translation Reset CVE-2024-54418 WordPress DTC Documents plugin <= 1.1.05 - Cross Site Request Forgery (CSRF) vulnerability CVE-2023-6008 UserPro <= 5.1.1 - Cross-Site Request Forgery via multiple functions