You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
Fix Resolution: Users of affected Spring Framework versions should upgrade as follows:
For 3.2.x upgrade to 3.2.15+.
For 4.0.x and 4.1.x upgrade to 4.1.8+.
For 4.2.x upgrade to 4.2.2+.
In the above mentioned versions Spring MVC checks if the URL contains a file extension prior to writing with an HttpMessageConverter, and if the extension is unknown a “Content-Disposition” response header is added to suggest the download filename “f.txt”. The list of “known” extensions by default includes the ones associated with the built-in HttpMessageConverter implementations as well as any additional extensions explicitly registered for content negotiation purposes. For 4.x the fix also includes URL checks for SockJS URLs and validation of the JSONP callback parameter in all areas where JSONP is supported.
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered:
CVE-2015-5211 - High Severity Vulnerability
Vulnerable Libraries - spring-webmvc-3.2.4.RELEASE.jar, spring-web-3.2.4.RELEASE.jar
spring-webmvc-3.2.4.RELEASE.jar
Spring Web MVC
path: 2/repository/org/springframework/spring-webmvc/3.2.4.RELEASE/spring-webmvc-3.2.4.RELEASE.jar
Library home page: https://github.com/SpringSource/spring-framework
Dependency Hierarchy:
spring-web-3.2.4.RELEASE.jar
Spring Web
path: /root/.m2/repository/org/springframework/spring-web/3.2.4.RELEASE/spring-web-3.2.4.RELEASE.jar
Library home page: https://github.com/SpringSource/spring-framework
Dependency Hierarchy:
Vulnerability Details
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
Publish Date: 2017-05-25
URL: CVE-2015-5211
CVSS 3 Score Details (8.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2015-5211
Fix Resolution: Users of affected Spring Framework versions should upgrade as follows: For 3.2.x upgrade to 3.2.15+. For 4.0.x and 4.1.x upgrade to 4.1.8+. For 4.2.x upgrade to 4.2.2+. In the above mentioned versions Spring MVC checks if the URL contains a file extension prior to writing with an HttpMessageConverter, and if the extension is unknown a “Content-Disposition” response header is added to suggest the download filename “f.txt”. The list of “known” extensions by default includes the ones associated with the built-in HttpMessageConverter implementations as well as any additional extensions explicitly registered for content negotiation purposes. For 4.x the fix also includes URL checks for SockJS URLs and validation of the JSONP callback parameter in all areas where JSONP is supported.
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: