CVE-2020-5421: Spring Framework Reflective File Download Vulnerability Alerts
Recently, VMware Tanzu issued a security bulletin, announcing a Reflected File Download (RFD) vulnerability, CVE-2020-5421 that exists in the Spring Framework. CVE-2020-5421 can bypass the protection against RFD attacks through the jsessionid path parameter. The previous protection against RFD was added in response to the CVE-2015-5211 vulnerability.
The attacker sends a URL with a batch script extension to the user to make the user download and execute the file, thereby harming the user’s system.
Affected version
- Spring Framework 5.2.0 – 5.2.8
- Spring Framework 5.1.0 – 5.1.17
- Spring Framework 5.0.0 – 5.0.18
- Spring Framework 4.3.0 – 4.3.28
- Older, unsupported versions
Unaffected version
- Spring Framework 5.2.9
- Spring Framework 5.1.18
- Spring Framework 5.0.19
- Spring Framework 4.3.29
Solution
Spring Framework has released a new version that fixes this vulnerability, and users are advised to upgrade Spring Framework to the unaffected version as soon as possible.