Vulnerability in Spring Core 5 

Issue date: 29-10-2020
Affects versions: 14.2, 13.4, 12.6

Security Issue ID

SECURITY-188

 

Affected Product Version(s)

14.3.1, 13.4.4, 12.6.11 (and previous patch releases)

Severity 

low

Description

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. Although brXM is not vulnerable to this issue in its standard configuration, customer projects may be using this library in a vulnerable way. Spring has been upgraded to version 5.1.15 for brXM 14.3.2 and 13.4.5, and to version 4.3.29 for version 12.6.12.

See CVE-2020-5421.

Instructions

Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.