Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8wx2-9q48-vm9r

GitHub Security Advisory

RFD attack via Content-Disposition header sourced from request input by Spring MVC or Spring WebFlux Application

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Affected Packages

Maven org.springframework:spring-webmvc
Affected versions: 5.2.0.RELEASE (fixed in 5.2.3.RELEASE)
Maven org.springframework:spring-webmvc
Affected versions: 5.1.0.RELEASE (fixed in 5.1.13.RELEASE)
Maven org.springframework:spring-webmvc
Affected versions: 5.0.0.RELEASE (fixed in 5.0.16.RELEASE)
Maven org.springframework:spring-webflux
Affected versions: 5.2.0.RELEASE (fixed in 5.2.3.RELEASE)
Maven org.springframework:spring-webflux
Affected versions: 5.1.0.RELEASE (fixed in 5.1.13.RELEASE)
Maven org.springframework:spring-webflux
Affected versions: 5.0.0.RELEASE (fixed in 5.0.16.RELEASE)

Related CVEs

CVE-2020-5398

Key Information

GHSA ID
GHSA-8wx2-9q48-vm9r
Published
January 21, 2020 8:59 PM
Last Modified
March 14, 2024 9:01 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.springframework:spring-webmvc
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 19, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.