Skip to main content

Download of Code Without Integrity Check in org.springframework:spring-web

CVE-2020-5398

  • org.springframework:spring-web
Severity High
Score 7.5/10

Summary

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

  • HIGH
  • NETWORK
  • HIGH
  • UNCHANGED
  • REQUIRED
  • NONE
  • HIGH
  • HIGH

CWE-494 - Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Advisory Timeline

  • Published