CVE-2020-5398

Description

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Related CPE's

avmwarespring_framework********

avmwarespring_framework********

avmwarespring_framework********

aoracleflexcube_private_banking12.1.0*******

aoracleinsurance_policy_administration_j2ee10.2.0*******

aoracleflexcube_private_banking12.0.0*******

aoracleinsurance_rules_palette10.2.0*******

aoracleretail_service_backbone15.0*******

aoracleretail_back_office14.1*******

aoracleweblogic_server12.2.1.3.0*******

References

https://pivotal.io/security/cve-2020-5398

Vendor Advisory

[camel-commits] 20200220 [camel] branch camel-2.25.x updated: Updating Spring due to CVE-2020-5398

Mailing ListThird Party Advisory

[geode-dev] 20200410 Proposal to bring GEODE-7970 to support/1.12

Mailing ListThird Party Advisory

[geode-dev] 20200410 Re: Proposal to bring GEODE-7970 to support/1.12

Mailing ListThird Party Advisory

N/A

Third Party Advisory

[karaf-issues] 20200514 [jira] [Updated] (KARAF-6721) Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200514 [GitHub] [karaf] coheigea opened a new pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-issues] 20200514 [jira] [Created] (KARAF-6721) Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-issues] 20200514 [jira] [Commented] (KARAF-6721) Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200514 [GitHub] [karaf] skitt commented on a change in pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200514 [GitHub] [karaf] coheigea commented on a change in pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-issues] 20200517 [jira] [Assigned] (KARAF-6721) Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-issues] 20200517 [jira] [Updated] (KARAF-6721) Upgrade to Spring 5.1.14.RELEASE and 5.2.5.RELEASE due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-issues] 20200517 [jira] [Updated] (KARAF-6721) Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200517 [GitHub] [karaf] jbonofre commented on a change in pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200517 [GitHub] [karaf] jbonofre commented on pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-issues] 20200517 [jira] [Commented] (KARAF-6721) Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200518 [GitHub] [karaf] jbonofre removed a comment on pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-issues] 20200518 [jira] [Commented] (KARAF-6721) Upgrade to Spring 5.1.14.RELEASE and 5.2.5.RELEASE due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200518 [GitHub] [karaf] jbonofre commented on pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200518 [karaf] branch karaf-4.2.x updated: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-issues] 20200518 [jira] [Resolved] (KARAF-6721) Upgrade to Spring 5.1.14.RELEASE and 5.2.5.RELEASE due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200518 [GitHub] [karaf] jbonofre merged pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

[karaf-commits] 20200518 [karaf] branch master updated: KARAF-6721 - Update Spring versions due to CVE-2020-5398

Mailing ListThird Party Advisory

https://lists.apache.org/thread.html/r712a6fce928e24e7b6ec30994a7e115a70f1f6e4cf2c2fbf0347ce46@%3Ccommits.servicecomb.apache.org%3E

Mailing ListThird Party Advisory

https://lists.apache.org/thread.html/ra996b56e1f5ab2fed235a8b91fa0cc3cf34c2e9fee290b7fa4380a0d@%3Ccommits.servicecomb.apache.org%3E

Mailing ListThird Party Advisory

https://lists.apache.org/thread.html/r881fb5a95ab251106fed38f836257276feb026bfe01290e72ff91c2a@%3Ccommits.servicecomb.apache.org%3E

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Third Party Advisory

[ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421

Mailing ListThird Party Advisory

[ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246)

Mailing ListThird Party Advisory

[ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421

Mailing ListThird Party Advisory

[ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory

[ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

https://lists.apache.org/thread.html/rded5291e25a4c4085a6d43cf262e479140198bf4eabb84986e0a1ef3@%3Cdev.rocketmq.apache.org%3E

Mailing ListThird Party Advisory

https://lists.apache.org/thread.html/r27552d2fa10d96f2810c50d16ad1fd1899e37796c81a0c5e7585a02d@%3Cdev.rocketmq.apache.org%3E

Mailing ListThird Party Advisory

[rocketmq-dev] 20210317 [GitHub] [rocketmq-externals] vongosling commented on issue #690: Spring Framework CVE-2020-5398

Mailing ListThird Party Advisory

https://lists.apache.org/thread.html/r645408661a8df9158f49e337072df39838fa76da629a7e25a20928a6@%3Cdev.rocketmq.apache.org%3E

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

PatchThird Party Advisory

N/A

PatchThird Party Advisory

https://security.netapp.com/advisory/ntap-20210917-0006/

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

PatchThird Party Advisory

N/A

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AttackVector

NETWORK

AttackComplexity

HIGH

PrivilegesRequired

NONE

UserInteraction

REQUIRED

Scope

UNCHANGED

ConfidentialityImpact

HIGH

IntegrityImpact

HIGH

AvailabilityImpact

HIGH

BaseScore

7.5

BaseSeverity

HIGH

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:H/Au:N/C:C/I:C/A:C

AccessVector

NETWORK

AccessComplexity

HIGH

Authentication

NONE

ConfidentialityImpact

COMPLETE

IntegrityImpact

COMPLETE

AvailabilityImpact

COMPLETE

BaseScore

7.599999904632568

Created by Yello
About Severity.io