Описание
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
In Spring Framework, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Отчет
This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web. In Red Hat Gluster Storage 3, SpringFramework (embedded in rhvm-dependencies) was shipped as a part of Red Hat Gluster Storage Console that is no longer supported for use with Red Hat Gluster Storage 3.5. However, spring-web is not included in the shipped version of SpringFramework.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss BRMS 5 | springframework | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | springframework | Out of support scope | ||
| Red Hat JBoss Fuse 6 | springframework | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | springframework | Out of support scope | ||
| Red Hat JBoss SOA Platform 5 | springframework | Out of support scope | ||
| Red Hat Storage 3 | rhevm-dependencies | Not affected | ||
| Red Hat Virtualization 4 | rhvm-dependencies | Not affected | ||
| Red Hat Fuse 7.9 | springframework | Fixed | RHSA-2021:3140 | 11.08.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5. ...
Уязвимость программной платформы Spring Framework, связанная с небезопасным управлением привилегиями, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
EPSS
6.5 Medium
CVSS3