CVE-2020-5407 - OpenCVE

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Pivotal Software	Spring Security

Configuration 1 [-]

OR	cpe:2.3:a:pivotal_software:spring_security::::::::
	cpe:2.3:a:pivotal_software:spring_security::::::::

References

Link	Resource
https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7%40%3Cissues.servicemix.apache.org%3E
https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a%40%3Cdev.geode.apache.org%3E
https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c%40%3Cdev.geode.apache.org%3E
https://tanzu.vmware.com/security/cve-2020-5407	Vendor Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: pivotal

Published: 2020-05-13T00:00:00

Updated: 2021-06-14T17:20:23

Reserved: 2020-01-03T00:00:00

Link: CVE-2020-5407

JSON object: View

NVD Information

Status : Modified

Published: 2020-05-13T17:15:11.967

Modified: 2023-11-07T03:23:46.787

Link: CVE-2020-5407

JSON object: View

Redhat Information

No data.

CWE

CWE-347

{"containers": {"cna": {"affected": [{"product": "Spring Security", "vendor": "Spring by VMware", "versions": [{"lessThan": "5.2.4", "status": "affected", "version": "5.2", "versionType": "custom"}, {"lessThan": "5.3.2", "status": "affected", "version": "5.3", "versionType": "custom"}]}], "datePublic": "2020-05-13T00:00:00", "descriptions": [{"lang": "en", "value": "Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-14T17:20:23", "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "shortName": "pivotal"}, "references": [{"name": "[servicemix-issues] 20200514 [jira] [Created] (SM-4384) Create OSGi bundles for spring-security 5.3.2.RELEASE + 5.1.10.RELEASE", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7%40%3Cissues.servicemix.apache.org%3E"}, {"name": "[geode-dev] 20200521 Re: Proposal to backport GEODE-8167", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c%40%3Cdev.geode.apache.org%3E"}, {"name": "[geode-dev] 20200521 Proposal to backport GEODE-8167", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a%40%3Cdev.geode.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://tanzu.vmware.com/security/cve-2020-5407"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Signature Wrapping Vulnerability with spring-security-saml2-service-provider", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pivotal.io", "DATE_PUBLIC": "2020-05-13T00:00:00.000Z", "ID": "CVE-2020-5407", "STATE": "PUBLIC", "TITLE": "Signature Wrapping Vulnerability with spring-security-saml2-service-provider"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring Security", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "5.2", "version_value": "5.2.4"}, {"affected": "<", "version_affected": "<", "version_name": "5.3", "version_value": "5.3.2"}]}}]}, "vendor_name": "Spring by VMware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid."}]}, "impact": null, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-347: Improper Verification of Cryptographic Signature"}]}]}, "references": {"reference_data": [{"name": "[servicemix-issues] 20200514 [jira] [Created] (SM-4384) Create OSGi bundles for spring-security 5.3.2.RELEASE + 5.1.10.RELEASE", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7@%3Cissues.servicemix.apache.org%3E"}, {"name": "[geode-dev] 20200521 Re: Proposal to backport GEODE-8167", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c@%3Cdev.geode.apache.org%3E"}, {"name": "[geode-dev] 20200521 Proposal to backport GEODE-8167", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a@%3Cdev.geode.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "https://tanzu.vmware.com/security/cve-2020-5407", "refsource": "CONFIRM", "url": "https://tanzu.vmware.com/security/cve-2020-5407"}, {"name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "assignerShortName": "pivotal", "cveId": "CVE-2020-5407", "datePublished": "2020-05-13T00:00:00", "dateReserved": "2020-01-03T00:00:00", "dateUpdated": "2021-06-14T17:20:23", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "79167645-DB8D-4B2E-8F41-19BF2B292516", "versionEndExcluding": "5.2.4", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC9C28BC-B248-4CDB-9BA9-C784D74E32A5", "versionEndExcluding": "5.3.2", "versionStartIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid."}, {"lang": "es", "value": "Spring Security versiones 5.2.x anteriores a 5.2.4 y versiones 5.3.x anteriores a 5.3.2, contienen una vulnerabilidad de empaquetado de firma durante la comprobaci\u00f3n de respuesta SAML. Cuando se usa el componente spring-security-saml2-service-provider, un usuario malicioso puede modificar cuidadosamente una respuesta SAML v\u00e1lida y agregar una afirmaci\u00f3n arbitraria que Spring Security aceptar\u00e1 como v\u00e1lida."}], "id": "CVE-2020-5407", "lastModified": "2023-11-07T03:23:46.787", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-13T17:15:11.967", "references": [{"source": "security@pivotal.io", "url": "https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7%40%3Cissues.servicemix.apache.org%3E"}, {"source": "security@pivotal.io", "url": "https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a%40%3Cdev.geode.apache.org%3E"}, {"source": "security@pivotal.io", "url": "https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c%40%3Cdev.geode.apache.org%3E"}, {"source": "security@pivotal.io", "tags": ["Vendor Advisory"], "url": "https://tanzu.vmware.com/security/cve-2020-5407"}, {"source": "security@pivotal.io", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "security@pivotal.io", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "security@pivotal.io", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}], "sourceIdentifier": "security@pivotal.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "security@pivotal.io", "type": "Secondary"}]}