In the Spring Framework, versions 5.2.x before 5.2.x, versions 5.1.x before 5.1.13, and 5.0.x before 5.0.16, applications are vulnerable to reflection file download (RFD) attacks. The attack is caused by setting the “Content-Disposition” response header in the response, where the filename attribute comes from the input provided by the user.
We judge that the vulnerability level is high and the harm/impact is large. It is recommended that Spring MVC or Spring WebFlux users should install the latest patches in time to avoid hacking.
- 5.2.0 to 5.2.2
- 5.1.0 to 5.1.12
- 5.0.0 to 5.0.15
It is recommended that the Spring Framework 5.2.x users should upgrade to the Spring Framework 5.2.3. The Spring Framework 5.1.x users should upgrade to the Spring Framework 5.1.13. The Spring Framework 5.0.x users should upgrade to the Spring Framework 5.0.16.