https://bugzilla.redhat.com/show_bug.cgi?id=1799475
Bug ID: 1799475 Summary: CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, chazlett@redhat.com, dblechte@redhat.com, dfediuck@redhat.com, dingyichen@gmail.com, drieden@redhat.com, eedri@redhat.com, esammons@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, ggaughan@redhat.com, gvarsami@redhat.com, hvyas@redhat.com, ibek@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jochrist@redhat.com, jolee@redhat.com, jross@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, ldimaggi@redhat.com, lef@fedoraproject.org, mcressma@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mnovotny@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pjindal@redhat.com, puebele@redhat.com, puntogil@libero.it, rrajasek@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sbonazzo@redhat.com, sdaley@redhat.com, sherold@redhat.com, sisharma@redhat.com, tcunning@redhat.com, tkirby@redhat.com, vbellur@redhat.com, vhalbert@redhat.com, yturgema@redhat.com Target Milestone: --- Classification: Other
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
Reference: https://pivotal.io/security/cve-2020-5398
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1799476 Depends On| |1799477
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1799477 [Bug 1799477] CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created springframework tracking bugs for this issue:
Affects: fedora-all [bug 1799477]
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Comment #2 from Hardik Vyas hvyas@redhat.com --- Statement:
This issue does not affect the version of SpringFramework(embedded in rhevm-dependencies) shipped with Red Hat Gluster Storage 3 as it does not provide the support for spring-web.
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
Hardik Vyas hvyas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |springframework 5.2.3, | |springframework 5.1.13, | |springframework 5.0.16
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Comment #3 from Hardik Vyas hvyas@redhat.com --- External References:
https://pivotal.io/security/cve-2020-5398
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Comment #5 from Paramvir jindal pjindal@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss BRMS 5
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Comment #7 from Jonathan Christison jochrist@redhat.com --- Lowering the severity rating from Important to Moderate for Fuse 7 for the following reasons:
*) The vulnerable method `ContentDisposition.Builder#filename(String)`, or `ContentDisposition.Builder#filename(String, US_ASCII)` is not used directly in the sources *) There is no evidence of `Content-Disposition` header being derived from user input
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Comment #9 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products: * SOA Platform 5
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Comment #10 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products: * Fuse Service Works
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Comment #11 from Doran Moppert dmoppert@redhat.com --- Statement:
This issue does not affect the version of SpringFramework (embedded in rhevm-dependencies) shipped with Red Hat Gluster Storage 3, as it does not provide support for spring-web.
This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web.
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in springframework in versions prior to 5.0.16, 5.1.13, and 5.2.3. A reflected file download (RFD) attack is possible when a "Content-Disposition" header is set in response to where the filename attribute is derived from user supplied input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1799475 Bug 1799475 depends on bug 1799477, which changed state.
Bug 1799477 Summary: CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1799477
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.8.0
Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:5568
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-12-16 16:18:41
--- Comment #13 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-5398
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aboyko@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1799475
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|aboyko@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com |
java-sig-commits@lists.fedoraproject.org