CVE-2020-5398: In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a…

high7.5CVSS 3.1

AVNACHPRNUIRSUCHIHAH

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Affected

65 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	libspring-java	—	—
oracle	application_testing_suite	—	—
oracle	communications_billing_and_revenue_management_elastic_charging_engine	—	—
oracle	communications_billing_and_revenue_management_elastic_charging_engine	—	—
oracle	communications_cloud_native_core_policy	—	—
oracle	communications_diameter_signaling_router	8.0.0 – 8.2.2	—
oracle	communications_element_manager	—	—
oracle	communications_element_manager	—	—
oracle	communications_element_manager	—	—
oracle	communications_policy_management	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	enterprise_manager_base_platform	—	—
oracle	financial_services_regulatory_reporting_with_agilereporter	—	—
oracle	flexcube_private_banking	—	—
oracle	flexcube_private_banking	—	—
oracle	healthcare_master_person_index	—	—
oracle	insurance_calculation_engine	11.0.0 – 11.3.1	—
oracle	insurance_policy_administration_j2ee	—	—
oracle	insurance_policy_administration_j2ee	—	—
oracle	insurance_policy_administration_j2ee	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

osv7.5HIGH