Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.6
CVSSv2

CVE-2020-5398

Published: 17/01/2020 Updated: 07/11/2023
CVSS v2 Base Score: 7.6 | Impact Score: 10 | Exploitability Score: 4.9
CVSS v3 Base Score: 7.5 | Impact Score: 5.9 | Exploitability Score: 1.6
VMScore: 677
Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Subscribe to Vmware

Vulnerability Summary

In Spring Framework, versions 5.2.x before 5.2.3, versions 5.1.x before 5.1.13, and versions 5.0.x before 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

vmware spring framework

oracle flexcube private banking 12.1.0

oracle insurance policy administration j2ee 10.2.0

oracle flexcube private banking 12.0.0

oracle insurance rules palette 10.2.0

oracle retail service backbone 15.0

oracle retail back office 14.1

oracle weblogic server 12.2.1.3.0

oracle application testing suite 13.3.0.1

oracle retail order broker 15.0

oracle retail order broker 16.0

oracle retail returns management 14.1

oracle retail central office 14.1

oracle retail assortment planning 15.0

oracle retail point-of-service 14.1

oracle retail predictive application server 15.0.3

oracle retail assortment planning 16.0

oracle retail financial integration 15.0

oracle retail financial integration 16.0

oracle communications policy management 12.5.0

oracle weblogic server 12.2.1.4.0

oracle mysql

oracle rapid planning 12.1

oracle rapid planning 12.2

oracle communications element manager 8.2.0

oracle communications element manager 8.2.1

oracle communications element manager 8.1.1

oracle communications diameter signaling router

oracle retail predictive application server 14.1.3.0

oracle retail bulk data integration 16.0.3.0

oracle retail predictive application server 16.0.3.0

oracle communications session report manager 8.1.1

oracle communications session report manager 8.2.0

oracle communications session report manager 8.2.1

oracle communications session route manager 8.1.1

oracle communications session route manager 8.2.0

oracle communications session route manager 8.2.1

oracle retail service backbone 16.0

oracle retail integration bus 15.0.3

oracle retail predictive application server 14.0.3

oracle retail integration bus 16.0.3

oracle insurance rules palette 10.2.4

oracle insurance rules palette 11.0.2

oracle insurance rules palette 11.1.0

oracle insurance rules palette 11.2.0

oracle insurance policy administration j2ee 10.2.4

oracle insurance policy administration j2ee 11.0.2

oracle insurance policy administration j2ee 11.1.0

oracle insurance policy administration j2ee 11.2.0

oracle healthcare master person index 4.0.2

oracle communications billing and revenue management elastic charging engine 11.3

oracle communications billing and revenue management elastic charging engine 12.0

oracle financial services regulatory reporting with agilereporter 8.0.9.2.0

oracle enterprise manager base platform 13.2.1.0

oracle insurance policy administration j2ee 11.2.2.0

oracle communications cloud native core policy 1.5.0

oracle siebel engineering - installer \\& deployment

oracle insurance calculation engine

netapp snapcenter -

netapp data availability services -

Vendor Advisories

Red Hat: Important: Red Hat Fuse 7.8.0 release and security update
Synopsis Important: Red Hat Fuse 780 release and security update Type/Severity Security Advisory: Important Topic A minor version update (from 77 to 78) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Produc ...

Github Repositories

https://github.com/motikan2010/CVE-2020-5398

CVE-2020-5398 - RFD(Reflected File Download) Attack for Spring MVC

CVE-2020-5398 - RFD(Reflected File Download) Attack for Spring MVC In Spring Framework, versions 52x prior to 523, versions 51x prior to 5113, and versions 50x prior to 5016, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header in the response where the filename attribute is derived from user

https://github.com/wapiti-scanner/wapiti

Web vulnerability scanner written in Python3

Wapiti - Web Vulnerability Scanner Wapiti is a web vulnerability scanner written in Python wapiti-scannergithubio/ Requirements In order to work correctly, Wapiti needs Python 3x where x is >= 10 (310, 311) All Python module dependencies will be installed automatically if you use the setuppy script or pip install wapiti3 See INSTALLmd for more detail

References

CWE-494https://pivotal.io/security/cve-2020-5398https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://security.netapp.com/advisory/ntap-20210917-0006/https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://lists.apache.org/thread.html/rf8dc72b974ee74f17bce661ea7d124e733a1f4c4f236354ac0cf48e8%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/rc05acaacad089613e9642f939b3a44f7199b5537493945c3e045287f%40%3Cdev.geode.apache.org%3Ehttps://lists.apache.org/thread.html/rdcaadaa9a68b31b7d093d76eacfaacf6c7a819f976b595c75ad2d4dc%40%3Cdev.geode.apache.org%3Ehttps://lists.apache.org/thread.html/r7361bfe84bde9d233f9800c3a96673e7bd81207549ced0236f07a29d%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r9fb1ee08cf337d16c3364feb0f35a072438c1a956afd7b77859aa090%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r0f3530f7cb510036e497532ffc4e0bd0b882940448cf4e233994b08b%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r8736185eb921022225a83e56d7285a217fd83f5524bd64a6ca3bf5cc%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r7d5e518088e2e778928b02bcd3be3b948b59acefe2f0ebb57ec2ebb0%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r3765353ff434fd00d8fa5a44734b3625a06eeb2a3fb468da7dfae134%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/rab0de39839b4c208dcd73f01e12899dc453361935a816a784548e048%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r1bc5d673c01cfbb8e4a91914e9748ead3e5f56b61bca54d314c0419b%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r4b1886e82cc98ef38f582fef7d4ea722e3fcf46637cd4674926ba682%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/reaa8a6674baf2724b1b88a621b0d72d9f7a6f5577c88759842c16eb6%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r74f81f93a9b69140fe41e236afa7cbe8dfa75692e7ab31a468fddaa0%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r028977b9b9d44a89823639aa3296fb0f0cfdd76b4450df89d3c4fbbf%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r2dfd5b331b46d3f90c4dd63a060e9f04300468293874bd7e41af7163%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r8cc37a60a5056351377ee5f1258f2a4fdd39822a257838ba6bcc1e88%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r1accbd4f31ad2f40e1661d70a4510a584eb3efd1e32e8660ccf46676%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/rb4d1fc078f086ec2e98b2693e8b358e58a6a4ef903ceed93a1ee2b18%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r6dac0e365d1b2df9a7ffca12b4195181ec14ff0abdf59e1fdb088ce5%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r4639e821ef9ca6ca10887988f410a60261400a7766560e7a97a22efc%40%3Ccommits.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r0f2d0ae1bad2edb3d4a863d77f3097b5e88cfbdae7b809f4f42d6aad%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r712a6fce928e24e7b6ec30994a7e115a70f1f6e4cf2c2fbf0347ce46%40%3Ccommits.servicecomb.apache.org%3Ehttps://lists.apache.org/thread.html/ra996b56e1f5ab2fed235a8b91fa0cc3cf34c2e9fee290b7fa4380a0d%40%3Ccommits.servicecomb.apache.org%3Ehttps://lists.apache.org/thread.html/r881fb5a95ab251106fed38f836257276feb026bfe01290e72ff91c2a%40%3Ccommits.servicecomb.apache.org%3Ehttps://lists.apache.org/thread.html/r1eccdbd7986618a7319ee7a533bd9d9bf6e8678e59dd4cca9b5b2d7a%40%3Cissues.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r9f13cccb214495e14648d2c9b8f2c6072fd5219e74502dd35ede81e1%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r8b496b1743d128e6861ee0ed3c3c48cc56c505b38f84fa5baf7ae33a%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r1c679c43fa4f7846d748a937955c7921436d1b315445978254442163%40%3Ccommits.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r5c95eff679dfc642e9e4ab5ac6d202248a59cb1e9457cfbe8b729ac5%40%3Cissues.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/rc9c7f96f08c8554225dba9050ea5e64bebc129d0d836303143fe3160%40%3Cdev.rocketmq.apache.org%3Ehttps://lists.apache.org/thread.html/rded5291e25a4c4085a6d43cf262e479140198bf4eabb84986e0a1ef3%40%3Cdev.rocketmq.apache.org%3Ehttps://lists.apache.org/thread.html/r645408661a8df9158f49e337072df39838fa76da629a7e25a20928a6%40%3Cdev.rocketmq.apache.org%3Ehttps://lists.apache.org/thread.html/r27552d2fa10d96f2810c50d16ad1fd1899e37796c81a0c5e7585a02d%40%3Cdev.rocketmq.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2020:5568https://nvd.nist.govhttps://github.com/motikan2010/CVE-2020-5398
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook