Bug 1799475 (CVE-2020-5398) - CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application
Summary: CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sour...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-5398
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1799477
Blocks: 1799476
TreeView+ depends on / blocked
 
Reported: 2020-02-06 17:20 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-04 09:42 UTC (History)
49 users (show)

Fixed In Version: springframework 5.2.3, springframework 5.1.13, springframework 5.0.16
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in springframework in versions prior to 5.0.16, 5.1.13, and 5.2.3. A reflected file download (RFD) attack is possible when a "Content-Disposition" header is set in response to where the filename attribute is derived from user supplied input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-12-16 16:18:41 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5568 0 None None None 2020-12-16 12:13:08 UTC

Description Guilherme de Almeida Suckevicz 2020-02-06 17:20:51 UTC
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Reference:
https://pivotal.io/security/cve-2020-5398

Comment 1 Guilherme de Almeida Suckevicz 2020-02-06 17:23:43 UTC
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1799477]

Comment 3 Hardik Vyas 2020-02-07 09:45:17 UTC
External References:

https://pivotal.io/security/cve-2020-5398

Comment 5 Paramvir jindal 2020-02-11 06:37:06 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss BRMS 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 7 Jonathan Christison 2020-02-20 09:21:02 UTC
Lowering the severity rating from Important to Moderate for Fuse 7 for the following reasons:

*) The vulnerable method `ContentDisposition.Builder#filename(String)`, or `ContentDisposition.Builder#filename(String, US_ASCII)` is not used directly in the sources
*) There is no evidence of `Content-Disposition` header being derived from user input

Comment 9 Jonathan Christison 2020-03-11 13:36:21 UTC
This vulnerability is out of security support scope for the following products:
 * SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 10 Jonathan Christison 2020-03-12 15:39:45 UTC
This vulnerability is out of security support scope for the following products:
 * Fuse Service Works

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 11 Doran Moppert 2020-03-18 04:54:35 UTC
Statement:

This issue does not affect the version of SpringFramework (embedded in rhevm-dependencies) shipped with Red Hat Gluster Storage 3, as it does not provide support for spring-web.

This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web.

Comment 12 errata-xmlrpc 2020-12-16 12:12:59 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568

Comment 13 Product Security DevOps Team 2020-12-16 16:18:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5398


Note You need to log in before you can comment on or make changes to this bug.