Bug 1799475 (CVE-2020-5398)
Summary: | CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aileenc, akoufoud, alazarot, almorale, anstephe, chazlett, dblechte, dfediuck, dingyichen, drieden, eedri, etirelli, extras-orphan, ggaughan, gvarsami, hvyas, ibek, janstey, java-sig-commits, jcoleman, jochrist, jolee, jschatte, jstastny, jwon, kconner, krathod, kverlaen, ldimaggi, lef, lsurette, mgoldboi, michal.skrivanek, mnovotny, nwallace, pjindal, puebele, puntogil, rrajasek, rsynek, rwagner, sbonazzo, sdaley, sherold, sisharma, tcunning, tkirby, tmielke, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | springframework 5.2.3, springframework 5.1.13, springframework 5.0.16 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in springframework in versions prior to 5.0.16, 5.1.13, and 5.2.3. A reflected file download (RFD) attack is possible when a "Content-Disposition" header is set in response to where the filename attribute is derived from user supplied input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-12-16 16:18:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1799477 | ||
Bug Blocks: | 1799476 |
Description
Guilherme de Almeida Suckevicz
2020-02-06 17:20:51 UTC
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1799477] External References: https://pivotal.io/security/cve-2020-5398 This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss BRMS 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Lowering the severity rating from Important to Moderate for Fuse 7 for the following reasons: *) The vulnerable method `ContentDisposition.Builder#filename(String)`, or `ContentDisposition.Builder#filename(String, US_ASCII)` is not used directly in the sources *) There is no evidence of `Content-Disposition` header being derived from user input This vulnerability is out of security support scope for the following products: * SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following products: * Fuse Service Works Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Statement: This issue does not affect the version of SpringFramework (embedded in rhevm-dependencies) shipped with Red Hat Gluster Storage 3, as it does not provide support for spring-web. This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web. This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-5398 |