CVE-2020-5398: Spring Framework Reflected File Download Attack Alert

On January 17, 2020, we monitored that Spring officially released the CVE-2020-5398 vulnerability warning, with a high vulnerability level.

In the Spring Framework, versions 5.2.x before 5.2.x, versions 5.1.x before 5.1.13, and 5.0.x before 5.0.16, applications are vulnerable to reflection file download (RFD) attacks. The attack is caused by setting the “Content-Disposition” response header in the response, where the filename attribute comes from the input provided by the user.

We judge that the vulnerability level is high and the harm/impact is large. It is recommended that Spring MVC or Spring WebFlux users should install the latest patches in time to avoid hacking.

Affected version

Spring Framework

• 5.2.0 to 5.2.2
• 5.1.0 to 5.1.12
• 5.0.0 to 5.0.15

Solution

It is recommended that the Spring Framework 5.2.x users should upgrade to the Spring Framework 5.2.3. The Spring Framework 5.1.x users should upgrade to the Spring Framework 5.1.13. The Spring Framework 5.0.x users should upgrade to the Spring Framework 5.0.16.