Vulnerability in Spring Core 5

Issue date: 29-10-2020
Affects versions: 14.2, 13.4, 12.6

Security Issue ID

SECURITY-188

Affected Product Version(s)

14.3.1, 13.4.4, 12.6.11 (and previous patch releases)

Severity

low

Description

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. Although brXM is not vulnerable to this issue in its standard configuration, customer projects may be using this library in a vulnerable way. Spring has been upgraded to version 5.1.15 for brXM 14.3.2 and 13.4.5, and to version 4.3.29 for version 12.6.12.

See CVE-2020-5421.

Instructions

Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

Vulnerability in Spring Core 5