CVE-2020-5421: Spring Framework Reflective File Download Vulnerability Alerts

by ddos ·

Recently, VMware Tanzu issued a security bulletin, announcing a Reflected File Download (RFD) vulnerability, CVE-2020-5421 that exists in the Spring Framework. CVE-2020-5421 can bypass the protection against RFD attacks through the jsessionid path parameter. The previous protection against RFD was added in response to the CVE-2015-5211 vulnerability.

The attacker sends a URL with a batch script extension to the user to make the user download and execute the file, thereby harming the user’s system.Spring Framework

Affected version

  • Spring Framework 5.2.0 – 5.2.8
  • Spring Framework 5.1.0 – 5.1.17
  • Spring Framework 5.0.0 – 5.0.18
  • Spring Framework 4.3.0 – 4.3.28
  • Older, unsupported versions

Unaffected version

  • Spring Framework 5.2.9
  • Spring Framework 5.1.18
  • Spring Framework 5.0.19
  • Spring Framework 4.3.29

Solution

Spring Framework has released a new version that fixes this vulnerability, and users are advised to upgrade Spring Framework to the unaffected version as soon as possible.

Tags: CVE-2020-5421