Bug 1799475 (CVE-2020-5398) - CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application
Summary: CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sour...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-5398
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1799477
Blocks: 1799476
TreeView+ depends on / blocked
 
Reported: 2020-02-06 17:20 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-04 09:42 UTC (History)
49 users (show)

Fixed In Version: springframework 5.2.3, springframework 5.1.13, springframework 5.0.16
Clone Of:
Environment:
Last Closed: 2020-12-16 16:18:41 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5568 0 None None None 2020-12-16 12:13:08 UTC

Description Guilherme de Almeida Suckevicz 2020-02-06 17:20:51 UTC 
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Reference:
https://pivotal.io/security/cve-2020-5398
Comment 1 Guilherme de Almeida Suckevicz 2020-02-06 17:23:43 UTC 
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1799477]
Comment 3 Hardik Vyas 2020-02-07 09:45:17 UTC 
External References:

https://pivotal.io/security/cve-2020-5398
Comment 5 Paramvir jindal 2020-02-11 06:37:06 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss BRMS 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 7 Jonathan Christison 2020-02-20 09:21:02 UTC 
Lowering the severity rating from Important to Moderate for Fuse 7 for the following reasons:

*) The vulnerable method `ContentDisposition.Builder#filename(String)`, or `ContentDisposition.Builder#filename(String, US_ASCII)` is not used directly in the sources
*) There is no evidence of `Content-Disposition` header being derived from user input
Comment 9 Jonathan Christison 2020-03-11 13:36:21 UTC 
This vulnerability is out of security support scope for the following products:
 * SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 10 Jonathan Christison 2020-03-12 15:39:45 UTC 
This vulnerability is out of security support scope for the following products:
 * Fuse Service Works

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 11 Doran Moppert 2020-03-18 04:54:35 UTC 
Statement:

This issue does not affect the version of SpringFramework (embedded in rhevm-dependencies) shipped with Red Hat Gluster Storage 3, as it does not provide support for spring-web.

This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web.
Comment 12 errata-xmlrpc 2020-12-16 12:12:59 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
Comment 13 Product Security DevOps Team 2020-12-16 16:18:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5398
Note You need to log in before you can comment on or make changes to this bug.