CVE-2020-5421

MEDIUM

Spring Framework 4.3.0-4.3.28, 5.0.0-5.0.18, 5.1.0-5.1.17, 5.2.0-5.2.8 - Reflection File Download

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-5421. PoCs published by JAckLosingHeart, pandaMingx.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2020-5421, demonstrating a path traversal vulnerability in Spring MVC. The exploit leverages the ';jsessionid=' parameter to bypass file extension restrictions and execute arbitrary commands via crafted requests.

Description

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Exploits (2)

github WORKING POC 5 stars
by JAckLosingHeart · javapoc
https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/spring-CVE-2020-5421

This repository contains a functional PoC for CVE-2020-5421, demonstrating a path traversal vulnerability in Spring MVC. The exploit leverages the ';jsessionid=' parameter to bypass file extension restrictions and execute arbitrary commands via crafted requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Spring Framework (Spring MVC)
No auth needed
Prerequisites: Spring MVC application with vulnerable endpoint · Access to the target application
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 3 stars
by pandaMingx · poc
https://github.com/pandaMingx/CVE-2020-5421

This repository contains a functional proof-of-concept for CVE-2020-5421, demonstrating how the jsessionid path parameter can bypass RFD attack protections in Spring Framework. The exploit leverages suffix pattern matching and content negotiation to force file downloads with arbitrary extensions.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Spring Framework 5.2.0-5.2.8, 5.1.0-5.1.17, 5.0.0-5.0.18, 4.3.0-4.3.28
No auth needed
Prerequisites: Suffix pattern matching enabled (spring.mvc.pathmatch.use-suffix-pattern=true) · Content negotiation enabled (spring.mvc.contentnegotiation.favor-path-extension=true)
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (24)

Core 24
Core References
Vendor Advisory x_refsource_confirm
https://tanzu.vmware.com/security/cve-2020-5421
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210513-0009/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Not Applicable, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 6.5
EPSS 0.1074
EPSS Percentile 95.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

Details

Status published
Products (50)
netapp/oncommand_insight
netapp/snap_creator_framework
netapp/snapcenter
oracle/commerce_guided_search 11.3.2
oracle/communications_brm 11.3.0.9
oracle/communications_brm 12.0.0.3
oracle/communications_design_studio 7.3.4
oracle/communications_design_studio 7.3.5
oracle/communications_design_studio 7.4.0
oracle/communications_session_report_manager 8.2.1 - 8.2.2.1
... and 40 more
Published Sep 19, 2020
Tracked Since Feb 18, 2026