Mon. Apr 6th, 2020

CVE-2020-5398: Spring Framework Reflected File Download Attack Alert

1 min read

On January 17, 2020, we monitored that Spring officially released the CVE-2020-5398 vulnerability warning, with a high vulnerability level.

In the Spring Framework, versions 5.2.x before 5.2.x, versions 5.1.x before 5.1.13, and 5.0.x before 5.0.16, applications are vulnerable to reflection file download (RFD) attacks. The attack is caused by setting the “Content-Disposition” response header in the response, where the filename attribute comes from the input provided by the user.

Spring Framework

We judge that the vulnerability level is high and the harm/impact is large. It is recommended that Spring MVC or Spring WebFlux users should install the latest patches in time to avoid hacking.

Affected version

Spring Framework

  • 5.2.0 to 5.2.2
  • 5.1.0 to 5.1.12
  • 5.0.0 to 5.0.15

Solution

It is recommended that the Spring Framework 5.2.x users should upgrade to the Spring Framework 5.2.3. The Spring Framework 5.1.x users should upgrade to the Spring Framework 5.1.13. The Spring Framework 5.0.x users should upgrade to the Spring Framework 5.0.16.