CVE-2020-5398 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-5398 PUBLISHED

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

EPSS 90.18% · 99.6th percentile

Risk Scores

EPSS Score

90.18%

99.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:16.04:LTS	libspring-java	3.2.13-3, 3.2.13-4, 3.2.13-5
Ubuntu:Pro:22.04:LTS	libspring-java	4.3.30-1ubuntu0.1~esm1, 4.3.30-1, 0
Ubuntu:25.10	libspring-java	4.3.30-2ubuntu1, 0, 4.3.30-3ubuntu1
Ubuntu:Pro:14.04:LTS	libspring-java	0, 3.0.6.RELEASE-7, 3.0.6.RELEASE-8
Ubuntu:Pro:18.04:LTS	libspring-java	0, 4.3.22-1~18.04, 4.3.14-1
Ubuntu:Pro:24.04:LTS	libspring-java	0, 4.3.30-2, 4.3.30-2ubuntu0.24.04.1~esm1
Ubuntu:Pro:20.04:LTS	libspring-java	0, 4.3.22-4, 4.3.22-4ubuntu0.1~esm1

Timeline

Jan 16, 2020 CVE Published
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Dec 25, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Nov 1, 2022 EPSS Score
Jan 2, 2023 EPSS Score
Mar 7, 2023 EPSS Score
May 6, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2020-5398 third-party-advisory
https://pivotal.io/security/cve-2020-5398 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-5398 third-party-advisory

Open in Interactive Console →