What is CVE-2020-5407?

CVE-2020-5407 is a high-severity vulnerability in Pivotal_software Spring_security, classified under Improper Verification of Cryptographic Signature. CVSS score: 8.8/10. Published 2020-05-13.

How severe is CVE-2020-5407?

High severity. CVSS v3 base score is 8.8 out of 10.

Is CVE-2020-5407 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Pivotal_software Spring_security

CVE-2020-5407

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefu…

EPSS: 0.012 (64.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Pivotal_software Spring_security
Spring By Vmware Security — versions 5.2, 5.3

Weakness classification (CWE)

CWE-347 — Improper Verification of Cryptographic Signature

Public proof-of-concept exploits

Farrhouq/Inpt-report

References

security@pivotal.io (mailing-list, x_refsource_MLIST)
security@pivotal.io (mailing-list, x_refsource_MLIST)
security@pivotal.io (mailing-list, x_refsource_MLIST)
security@pivotal.io (x_refsource_MISC)
security@pivotal.io (x_refsource_CONFIRM, Vendor Advisory)
security@pivotal.io (x_refsource_MISC)
security@pivotal.io (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-5407?: CVE-2020-5407 is a high-severity vulnerability in Pivotal_software Spring_security, classified under Improper Verification of Cryptographic Signature. CVSS score: 8.8/10. Published 2020-05-13.
How severe is CVE-2020-5407?: High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2020-5407 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.