CVE-2020-5397

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.2.x prior to 5.2.3

Description The issue is related to a lack of protection against cross-site request forgery (CSRF) attacks through CORS preflight requests targeting Spring MVC or Spring WebFlux endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials. However, a notable exception is Chrome-based browsers when using client certificates for authentication, as Chrome sends TLS client certificates in CORS preflight requests. No HTTP body can be sent or received as a result of this attack.

Recommendations For Spring Framework versions 5.2.x prior to 5.2.3, update to version 5.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to vulnerable Spring MVC and Spring WebFlux endpoints to minimize the risk of exploitation. Additionally, avoid using client certificates for authentication in Chrome-based browsers until the issue is resolved.