In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. Reference: https://pivotal.io/security/cve-2020-5398
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1799477]
External References: https://pivotal.io/security/cve-2020-5398
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss BRMS 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Lowering the severity rating from Important to Moderate for Fuse 7 for the following reasons: *) The vulnerable method `ContentDisposition.Builder#filename(String)`, or `ContentDisposition.Builder#filename(String, US_ASCII)` is not used directly in the sources *) There is no evidence of `Content-Disposition` header being derived from user input
This vulnerability is out of security support scope for the following products: * SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following products: * Fuse Service Works Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Statement: This issue does not affect the version of SpringFramework (embedded in rhevm-dependencies) shipped with Red Hat Gluster Storage 3, as it does not provide support for spring-web. This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web.
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-5398