CVE-2020-5398 - High Severity Vulnerability
Vulnerable Libraries - spring-web-5.0.0.RELEASE.jar, spring-web-5.0.4.RELEASE.jar, spring-web-5.0.13.RELEASE.jar, spring-web-5.1.0.RELEASE.jar
spring-web-5.0.0.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.0.RELEASE/f5c2d9d5668534c308a1ca4eda070cd01320af65/spring-web-5.0.0.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.0.RELEASE/f5c2d9d5668534c308a1ca4eda070cd01320af65/spring-web-5.0.0.RELEASE.jar
Dependency Hierarchy:
- spring-rabbit-2.0.0.RELEASE.jar (Root Library)
- ❌ spring-web-5.0.0.RELEASE.jar (Vulnerable Library)
spring-web-5.0.4.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-webflux-5/spring-webflux-5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.4.RELEASE/9565bbc67bf1a850a6505deaa5103931712a7b80/spring-web-5.0.4.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-webflux-2.0.0.RELEASE.jar (Root Library)
- ❌ spring-web-5.0.4.RELEASE.jar (Vulnerable Library)
spring-web-5.0.13.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-webflux-5/spring-webflux-5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.13.RELEASE/8e66504c87cc26109204b08cf7b6530951265483/spring-web-5.0.13.RELEASE.jar
Dependency Hierarchy:
- spring-webflux-5.0.13.RELEASE.jar (Root Library)
- ❌ spring-web-5.0.13.RELEASE.jar (Vulnerable Library)
spring-web-5.1.0.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/couchbase-2.6/couchbase-2.6.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.1.0.RELEASE/6118844ea0888f70a0df5fe6859558c76c2d32c2/spring-web-5.1.0.RELEASE.jar
Dependency Hierarchy:
- spring-data-couchbase-3.1.0.RELEASE.jar (Root Library)
- ❌ spring-web-5.1.0.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Vulnerability Details
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
Publish Date: 2020-01-17
URL: CVE-2020-5398
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2020-5398
Release Date: 2020-01-17
Fix Resolution (org.springframework:spring-web): 5.0.16.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
Fix Resolution (org.springframework:spring-web): 5.0.16.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-webflux): 2.1.0.RELEASE
Fix Resolution (org.springframework:spring-web): 5.0.16.RELEASE
Direct dependency fix Resolution (org.springframework:spring-webflux): 5.0.16.RELEASE
Fix Resolution (org.springframework:spring-web): 5.1.13.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-couchbase): 3.1.15.RELEASE
⛑️ Automatic Remediation is available for this issue
CVE-2020-5398 - High Severity Vulnerability
spring-web-5.0.0.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.0.RELEASE/f5c2d9d5668534c308a1ca4eda070cd01320af65/spring-web-5.0.0.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.0.RELEASE/f5c2d9d5668534c308a1ca4eda070cd01320af65/spring-web-5.0.0.RELEASE.jar
Dependency Hierarchy:
spring-web-5.0.4.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-webflux-5/spring-webflux-5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.4.RELEASE/9565bbc67bf1a850a6505deaa5103931712a7b80/spring-web-5.0.4.RELEASE.jar
Dependency Hierarchy:
spring-web-5.0.13.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-webflux-5/spring-webflux-5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.13.RELEASE/8e66504c87cc26109204b08cf7b6530951265483/spring-web-5.0.13.RELEASE.jar
Dependency Hierarchy:
spring-web-5.1.0.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/couchbase-2.6/couchbase-2.6.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.1.0.RELEASE/6118844ea0888f70a0df5fe6859558c76c2d32c2/spring-web-5.1.0.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
Publish Date: 2020-01-17
URL: CVE-2020-5398
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://pivotal.io/security/cve-2020-5398
Release Date: 2020-01-17
Fix Resolution (org.springframework:spring-web): 5.0.16.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
Fix Resolution (org.springframework:spring-web): 5.0.16.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-webflux): 2.1.0.RELEASE
Fix Resolution (org.springframework:spring-web): 5.0.16.RELEASE
Direct dependency fix Resolution (org.springframework:spring-webflux): 5.0.16.RELEASE
Fix Resolution (org.springframework:spring-web): 5.1.13.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-couchbase): 3.1.15.RELEASE
⛑️ Automatic Remediation is available for this issue