PT-2017-6830 · Spring+1 · Spring Framework+1
Alvaro Muñoz
·
Published
2015-11-04
·
Updated
2023-03-01
·
CVE-2015-5211
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Spring Framework versions 3.2.0 through 3.2.14
Spring Framework versions 4.0.0 through 4.1.7
Spring Framework versions 4.2.0 through 4.2.1
Description
The issue allows a malicious user to craft a URL that results in a response being downloaded rather than rendered, including some reflected input. This can lead to a Reflected File Download (RFD) attack.
Recommendations
For Spring Framework versions 3.2.0 through 3.2.14, update to a version outside of this range to resolve the issue.
For Spring Framework versions 4.0.0 through 4.1.7, update to a version outside of this range to resolve the issue.
For Spring Framework versions 4.2.0 through 4.2.1, update to a version outside of this range to resolve the issue.
Exploit
Fix
RCE
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Spring Framework
Ubuntu