VDB

CVE-2020-5398

CVE-2020-5398 PUBLISHED

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

EPSS 90.18% · 99.6th percentile

Risk Scores

EPSS Score
90.18%
99.6th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:16.04:LTSlibspring-java3.2.13-3, 0, 3.2.13-5ubuntu0.1~esm1
Ubuntu:Pro:22.04:LTSlibspring-java4.3.30-1, 0, 4.3.30-1ubuntu0.1~esm1
Ubuntu:25.10libspring-java4.3.30-3ubuntu1, 0, 4.3.30-2ubuntu1
Ubuntu:Pro:14.04:LTSlibspring-java3.0.6.RELEASE-8, 3.0.6.RELEASE-9, 3.0.6.RELEASE-10
Ubuntu:Pro:18.04:LTSlibspring-java4.3.14-1, 0, 4.3.22-1~18.04.1~esm1
Ubuntu:Pro:24.04:LTSlibspring-java0, 4.3.30-2, 4.3.30-2ubuntu0.24.04.1~esm1
Ubuntu:Pro:20.04:LTSlibspring-java0, 4.3.22-4ubuntu0.1~esm1, 4.3.22-4

Exploit Intelligence

…and 8 more exploits

Timeline

  • Jan 16, 2020 CVE Published
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
  • Nov 6, 2022 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Mar 11, 2023 EPSS Score
  • Jul 14, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›