CVE-2020-5398

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.0.x prior to 5.0.16 Spring Framework versions 5.1.x prior to 5.1.13 Spring Framework versions 5.2.x prior to 5.2.3 Oracle Retail Order Broker (affected versions not specified)

Description The issue exists due to inadequate protection of the web page structure in the Spring Framework component of Oracle Retail Order Broker. This allows a remote attacker to gain full control over the application via the HTTP protocol. The vulnerability can be exploited through a reflected file download (RFD) attack when the application sets a "Content-Disposition" header in the response where the filename attribute is derived from user-supplied input.

Recommendations For Spring Framework versions 5.0.x prior to 5.0.16, update to version 5.0.16 or later. For Spring Framework versions 5.1.x prior to 5.1.13, update to version 5.1.13 or later. For Spring Framework versions 5.2.x prior to 5.2.3, update to version 5.2.3 or later. For Oracle Retail Order Broker, at the moment, there is no information about a newer version that contains a fix for this vulnerability.