CVE-2020-5407 - OpenCVE

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pivotal Software	Spring Security

Configuration 1 [-]

OR	cpe:2.3:a:pivotal_software:spring_security::::::::
	cpe:2.3:a:pivotal_software:spring_security::::::::

No data.

References

Link	Providers
https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7%40%3Cissues.servicemix.apache.org%3E
https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a%40%3Cdev.geode.apache.org%3E
https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c%40%3Cdev.geode.apache.org%3E
https://tanzu.vmware.com/security/cve-2020-5407
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: pivotal

Published: 2020-05-13T17:00:15.881645Z

Updated: 2024-09-16T23:56:17.066Z

Reserved: 2020-01-03T00:00:00

Link: CVE-2020-5407

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-05-13T17:15:11.967

Modified: 2023-11-07T03:23:46.787

Link: CVE-2020-5407

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Spring Security", "vendor": "Spring by VMware", "versions": [{"lessThan": "5.2.4", "status": "affected", "version": "5.2", "versionType": "custom"}, {"lessThan": "5.3.2", "status": "affected", "version": "5.3", "versionType": "custom"}]}], "datePublic": "2020-05-13T00:00:00", "descriptions": [{"lang": "en", "value": "Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-14T17:20:23", "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "shortName": "pivotal"}, "references": [{"name": "[servicemix-issues] 20200514 [jira] [Created] (SM-4384) Create OSGi bundles for spring-security 5.3.2.RELEASE + 5.1.10.RELEASE", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7%40%3Cissues.servicemix.apache.org%3E"}, {"name": "[geode-dev] 20200521 Re: Proposal to backport GEODE-8167", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c%40%3Cdev.geode.apache.org%3E"}, {"name": "[geode-dev] 20200521 Proposal to backport GEODE-8167", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a%40%3Cdev.geode.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://tanzu.vmware.com/security/cve-2020-5407"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Signature Wrapping Vulnerability with spring-security-saml2-service-provider", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pivotal.io", "DATE_PUBLIC": "2020-05-13T00:00:00.000Z", "ID": "CVE-2020-5407", "STATE": "PUBLIC", "TITLE": "Signature Wrapping Vulnerability with spring-security-saml2-service-provider"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring Security", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "5.2", "version_value": "5.2.4"}, {"affected": "<", "version_affected": "<", "version_name": "5.3", "version_value": "5.3.2"}]}}]}, "vendor_name": "Spring by VMware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid."}]}, "impact": null, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-347: Improper Verification of Cryptographic Signature"}]}]}, "references": {"reference_data": [{"name": "[servicemix-issues] 20200514 [jira] [Created] (SM-4384) Create OSGi bundles for spring-security 5.3.2.RELEASE + 5.1.10.RELEASE", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7@%3Cissues.servicemix.apache.org%3E"}, {"name": "[geode-dev] 20200521 Re: Proposal to backport GEODE-8167", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c@%3Cdev.geode.apache.org%3E"}, {"name": "[geode-dev] 20200521 Proposal to backport GEODE-8167", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a@%3Cdev.geode.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "https://tanzu.vmware.com/security/cve-2020-5407", "refsource": "CONFIRM", "url": "https://tanzu.vmware.com/security/cve-2020-5407"}, {"name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:30:23.906Z"}, "title": "CVE Program Container", "references": [{"name": "[servicemix-issues] 20200514 [jira] [Created] (SM-4384) Create OSGi bundles for spring-security 5.3.2.RELEASE + 5.1.10.RELEASE", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7%40%3Cissues.servicemix.apache.org%3E"}, {"name": "[geode-dev] 20200521 Re: Proposal to backport GEODE-8167", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c%40%3Cdev.geode.apache.org%3E"}, {"name": "[geode-dev] 20200521 Proposal to backport GEODE-8167", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a%40%3Cdev.geode.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://tanzu.vmware.com/security/cve-2020-5407"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}]}]}, "cveMetadata": {"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "assignerShortName": "pivotal", "cveId": "CVE-2020-5407", "datePublished": "2020-05-13T17:00:15.881645Z", "dateReserved": "2020-01-03T00:00:00", "dateUpdated": "2024-09-16T23:56:17.066Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "79167645-DB8D-4B2E-8F41-19BF2B292516", "versionEndExcluding": "5.2.4", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC9C28BC-B248-4CDB-9BA9-C784D74E32A5", "versionEndExcluding": "5.3.2", "versionStartIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid."}, {"lang": "es", "value": "Spring Security versiones 5.2.x anteriores a 5.2.4 y versiones 5.3.x anteriores a 5.3.2, contienen una vulnerabilidad de empaquetado de firma durante la comprobaci\u00f3n de respuesta SAML. Cuando se usa el componente spring-security-saml2-service-provider, un usuario malicioso puede modificar cuidadosamente una respuesta SAML v\u00e1lida y agregar una afirmaci\u00f3n arbitraria que Spring Security aceptar\u00e1 como v\u00e1lida."}], "id": "CVE-2020-5407", "lastModified": "2023-11-07T03:23:46.787", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-13T17:15:11.967", "references": [{"source": "security@pivotal.io", "url": "https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7%40%3Cissues.servicemix.apache.org%3E"}, {"source": "security@pivotal.io", "url": "https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a%40%3Cdev.geode.apache.org%3E"}, {"source": "security@pivotal.io", "url": "https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c%40%3Cdev.geode.apache.org%3E"}, {"source": "security@pivotal.io", "tags": ["Vendor Advisory"], "url": "https://tanzu.vmware.com/security/cve-2020-5407"}, {"source": "security@pivotal.io", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "security@pivotal.io", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "security@pivotal.io", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}], "sourceIdentifier": "security@pivotal.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "security@pivotal.io", "type": "Secondary"}]}