The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-5421

CVE-2020-5421: Spring Framework Auth Bypass Vulnerability

CVE-2020-5421 is an authentication bypass flaw in VMware Spring Framework that allows attackers to bypass RFD protections using jsessionid path parameters. This article covers technical details, affected versions, and mitigation.

Published: March 4, 2026

CVE-2020-5421 Overview

CVE-2020-5421 is a security vulnerability in VMware Spring Framework that allows attackers to bypass Reflected File Download (RFD) attack protections that were originally implemented in response to CVE-2015-5211. The bypass is achieved through the use of a jsessionid path parameter, and the success of exploitation depends on the browser being used by the victim.

Reflected File Download attacks are a class of web application vulnerabilities that can trick users into downloading and executing malicious files. The original protections implemented in Spring Framework were designed to prevent attackers from manipulating HTTP response headers to create downloadable content with attacker-controlled filenames. This vulnerability represents a bypass of those protections, potentially allowing attackers to resume RFD attack techniques against Spring Framework applications.

Critical Impact

Attackers can bypass RFD attack protections to potentially trick users into downloading malicious files, leading to client-side code execution and compromised user systems.

Affected Products

  • VMware Spring Framework versions 5.2.0 - 5.2.8
  • VMware Spring Framework versions 5.1.0 - 5.1.17
  • VMware Spring Framework versions 5.0.0 - 5.0.18
  • VMware Spring Framework versions 4.3.0 - 4.3.28
  • Oracle WebLogic Server (versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
  • Oracle Fusion Middleware (versions 12.2.1.3.0, 12.2.1.4.0)
  • NetApp OnCommand Insight, Snap Creator Framework, and SnapCenter

Discovery Timeline

  • September 19, 2020 - CVE-2020-5421 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2020-5421

Vulnerability Analysis

This vulnerability exists in the Spring Framework's request handling mechanism, specifically in how it processes URL paths containing session identifiers. Spring Framework implemented protections against Reflected File Download attacks following CVE-2015-5211, which aimed to prevent attackers from manipulating response content disposition headers.

The bypass leverages the jsessionid path parameter, which is a URL rewriting technique used to maintain session state when cookies are disabled. When a request contains a jsessionid path parameter in a specific format, the RFD protection logic fails to properly sanitize or validate the request, allowing the original attack vector to be exploited.

The effectiveness of this bypass is browser-dependent, meaning certain browsers may be more susceptible to the attack than others based on how they handle content disposition headers and file downloads.

Root Cause

The root cause of this vulnerability is incomplete input validation in the RFD protection mechanism. When the original CVE-2015-5211 fix was implemented, it did not account for all possible URL encoding schemes and path parameter variations. The jsessionid path parameter represents a legitimate URL rewriting feature, but its presence in certain positions can cause the security validation logic to be bypassed.

The underlying issue stems from the complexity of URL parsing and the multiple ways session identifiers can be embedded in request paths. The protection logic failed to normalize URLs before applying security checks, allowing the jsessionid parameter to act as an escape mechanism.

Attack Vector

The attack requires network access and user interaction to be successful. An attacker would need to craft a malicious URL targeting a vulnerable Spring Framework application and convince a victim to click on it. The attack flow typically involves:

  1. The attacker identifies a Spring Framework endpoint that returns user-controllable content
  2. A specially crafted URL is created that includes a jsessionid path parameter designed to bypass RFD protections
  3. The victim is tricked into clicking the malicious link (via phishing, social engineering, etc.)
  4. The victim's browser downloads a file with an attacker-controlled filename
  5. If the victim executes the downloaded file, arbitrary code may run on their system

The attack requires low privileges on the target application but does require user interaction, as the victim must click the malicious link and potentially execute the downloaded file.

Detection Methods for CVE-2020-5421

Indicators of Compromise

  • Unusual URL patterns in web server logs containing jsessionid path parameters with suspicious file extensions
  • HTTP requests attempting to manipulate Content-Disposition headers
  • Access logs showing requests with encoded special characters in the jsessionid parameter value
  • User reports of unexpected file downloads when accessing application URLs

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block requests containing suspicious jsessionid path parameter patterns
  • Monitor HTTP response headers for unexpected Content-Disposition values, particularly those containing executable file extensions
  • Deploy log analysis to identify URL patterns that match known RFD attack signatures
  • Utilize endpoint detection solutions to identify unusual file downloads originating from web applications

Monitoring Recommendations

  • Enable detailed access logging on all Spring Framework applications to capture full request URLs including path parameters
  • Configure SIEM alerts for requests containing jsessionid parameters combined with file download responses
  • Monitor for bulk scanning activity that may indicate attackers probing for vulnerable endpoints
  • Track Content-Disposition header modifications in application responses

How to Mitigate CVE-2020-5421

Immediate Actions Required

  • Upgrade VMware Spring Framework to patched versions: 5.2.9 or later, 5.1.18 or later, 5.0.19 or later
  • Apply relevant patches from Oracle Critical Patch Updates for affected Oracle products
  • Review application configurations to identify endpoints that may be vulnerable to RFD attacks
  • Implement additional input validation at the application layer as a defense-in-depth measure

Patch Information

VMware has released patched versions of Spring Framework that address this vulnerability. Organizations should upgrade to the following minimum versions:

  • Spring Framework 5.2.x: Upgrade to 5.2.9 or later
  • Spring Framework 5.1.x: Upgrade to 5.1.18 or later
  • Spring Framework 5.0.x: Upgrade to 5.0.19 or later
  • Spring Framework 4.3.x: Upgrade to 4.3.29 or later

For Oracle products, refer to the Oracle CPU April 2021 Advisory, Oracle CPU January 2021 Advisory, and subsequent Critical Patch Updates. For NetApp products, refer to the NetApp Security Advisory NTAP-20210513-0009.

Additional vendor advisories are available from VMware Security Advisory.

Workarounds

  • Disable URL session tracking by enforcing cookie-based session management only, preventing jsessionid path parameters from being processed
  • Implement strict Content-Security-Policy headers to restrict file downloads and script execution
  • Deploy web application firewall rules to block requests containing suspicious path parameter patterns
  • Configure response header filtering to prevent manipulation of Content-Disposition headers
bash
# Example: Disable URL-based session tracking in Spring Boot application.properties
server.servlet.session.tracking-modes=cookie

# Example: Configure Spring Security to enforce cookie-only sessions
# Add to security configuration class
# http.sessionManagement().sessionFixation().migrateSession()

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechSpring Framework
  • SeverityMEDIUM
  • CVSS Score6.5
  • EPSS Probability63.83%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityNone
  • CWE References
  • NVD-CWE-noinfo
  • Technical References
  • Apache Ambari Commit Notification
  • Apache Ambari Issue Notification
  • Apache Pulsar Commit Notification
  • Apache Pulsar Commit Notification
  • Apache Ambari Issue Notification
  • Apache Hive Issue Notification
  • Apache Ambari Dev Update
  • Apache Pulsar Commit Notification
  • Apache Ambari Dev Update
  • Apache Ignite User Notification
  • Apache Ignite User Notification
  • Apache Pulsar Commit Notification
  • Apache Hive Issue Notification
  • Apache Hive Issue Notification
  • Apache Ranger Dev Update
  • Apache Hive Dev Update
  • NetApp Security Advisory NTAP-20210513-0009
  • Oracle CPU October 2021 Advisory
  • Vendor Resources
  • VMware Security CVE-2020-5421
  • Oracle CPU July 2021 Advisory
  • Oracle CPU April 2021 Advisory
  • Oracle CPU April 2022 Advisory
  • Oracle CPU January 2021 Advisory
  • Oracle CPU January 2022 Advisory
  • Related CVEs
  • CVE-2025-41254: Spring Framework Auth Bypass Vulnerability
  • CVE-2025-41249: Spring Framework Auth Bypass Vulnerability
  • CVE-2025-22233: Spring Framework Auth Bypass Vulnerability
  • CVE-2026-22737: Spring Framework Info Disclosure Bug
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English