GHSA-8wx2-9q48-vm9r

Source

https://github.com/advisories/GHSA-8wx2-9q48-vm9r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-8wx2-9q48-vm9r/GHSA-8wx2-9q48-vm9r.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-8wx2-9q48-vm9r

Aliases

CVE-2020-5398

Related

CGA-prvp-gwp5-4ppq

Published

2020-01-21T20:59:09Z

Modified

2024-07-15T22:28:02.134480Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

RFD attack via Content-Disposition header sourced from request input by Spring MVC or Spring WebFlux Application

Details

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Database specific

{
    "nvd_published_at": "2020-01-17T00:15:00Z",
    "cwe_ids": [
        "CWE-494",
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-21T20:49:17Z"
}

References

Affected packages

Maven / org.springframework:spring-webmvc

Package

Name: org.springframework:spring-webmvc; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-webmvc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0.RELEASE

Fixed

5.2.3.RELEASE

Affected versions

5.*

5.2.0.RELEASE

5.2.1.RELEASE

5.2.2.RELEASE

Maven / org.springframework:spring-webmvc

Package

Name: org.springframework:spring-webmvc; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-webmvc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1.0.RELEASE

Fixed

5.1.13.RELEASE

Affected versions

5.*

5.1.0.RELEASE

5.1.1.RELEASE

5.1.2.RELEASE

5.1.3.RELEASE

5.1.4.RELEASE

5.1.5.RELEASE

5.1.6.RELEASE

5.1.7.RELEASE

5.1.8.RELEASE

5.1.9.RELEASE

5.1.10.RELEASE

5.1.11.RELEASE

5.1.12.RELEASE

Maven / org.springframework:spring-webmvc

Package

Name: org.springframework:spring-webmvc; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-webmvc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0.RELEASE

Fixed

5.0.16.RELEASE

Affected versions

5.*

5.0.0.RELEASE

5.0.1.RELEASE

5.0.2.RELEASE

5.0.3.RELEASE

5.0.4.RELEASE

5.0.5.RELEASE

5.0.6.RELEASE

5.0.7.RELEASE

5.0.8.RELEASE

5.0.9.RELEASE

5.0.10.RELEASE

5.0.11.RELEASE

5.0.12.RELEASE

5.0.13.RELEASE

5.0.14.RELEASE

5.0.15.RELEASE

Maven / org.springframework:spring-webflux

Package

Name: org.springframework:spring-webflux; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-webflux

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0.RELEASE

Fixed

5.2.3.RELEASE

Affected versions

5.*

5.2.0.RELEASE

5.2.1.RELEASE

5.2.2.RELEASE

Maven / org.springframework:spring-webflux

Package

Name: org.springframework:spring-webflux; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-webflux

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1.0.RELEASE

Fixed

5.1.13.RELEASE

Affected versions

5.*

5.1.0.RELEASE

5.1.1.RELEASE

5.1.2.RELEASE

5.1.3.RELEASE

5.1.4.RELEASE

5.1.5.RELEASE

5.1.6.RELEASE

5.1.7.RELEASE

5.1.8.RELEASE

5.1.9.RELEASE

5.1.10.RELEASE

5.1.11.RELEASE

5.1.12.RELEASE

Maven / org.springframework:spring-webflux

Package

Name: org.springframework:spring-webflux; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-webflux

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0.RELEASE

Fixed

5.0.16.RELEASE

Affected versions

5.*

5.0.0.RELEASE

5.0.1.RELEASE

5.0.2.RELEASE

5.0.3.RELEASE

5.0.4.RELEASE

5.0.5.RELEASE

5.0.6.RELEASE

5.0.7.RELEASE

5.0.8.RELEASE

5.0.9.RELEASE

5.0.10.RELEASE

5.0.11.RELEASE

5.0.12.RELEASE

5.0.13.RELEASE

5.0.14.RELEASE

5.0.15.RELEASE