CVE-2015-5211: Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File…

critical9.6CVSS 3.1

AVNACLPRNUIRSCCHIHAH

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Affected

116 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	libspring-java	< libspring-java 4.1.9-1 (bookworm)	libspring-java 4.1.9-1 (bookworm)
debian	libspring-java	< libspring-java 4.3.30-1 (bookworm)	libspring-java 4.3.30-1 (bookworm)
oracle	commerce_guided_search	—	—
oracle	communications_brm	—	—
oracle	communications_brm	—	—
oracle	communications_design_studio	—	—
oracle	communications_design_studio	—	—
oracle	communications_design_studio	—	—
oracle	communications_session_report_manager	8.2.1 – 8.2.2.1	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	endeca_information_discovery_integrator	—	—
oracle	enterprise_data_quality	—	—
oracle	enterprise_data_quality	—	—
oracle	financial_services_analytical_applications_infrastructure	8.0.6 – 8.1.0	—
oracle	flexcube_private_banking	—	—
oracle	flexcube_private_banking	—	—
oracle	fusion_middleware	—	—
oracle	fusion_middleware	—	—
oracle	goldengate_application_adapters	—	—
oracle	healthcare_master_person_index	—	—
oracle	hyperion_infrastructure_technology	—	—
oracle	insurance_policy_administration	—	—
oracle	insurance_policy_administration	—	—

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

ghsa9.6CRITICAL

osv9.6CRITICAL