CVE-2020-5398: Spring Framework Reflected File Download Vulnerability

On January 16, Spring by Pivotal released a report for CVE-2020-5398, a high severity reflected file download (RFD) vulnerability affecting Spring MVC and Spring WebFluix applications in Spring Framework, one of the most popular application development frameworks for enterprise Java. This vulnerability was originally highlighted on December 17, 2019, on Springs GitHub repository and accredited to Rossen Stoyanchev, Spring Framework committer.

CVE-2020-5398 is an RFD in Spring Framework affecting versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.3 and versions 5.0.x prior to 5.0.x. The Spring MVC and Spring WebFlux applications are vulnerable to the RFD exploit when it sets a “Content-Disposition” header in the response where the filename attribute is derived from user-supplied input.

The RFD exploit works similarly to cross-site scripting (XSS) because it requires a victim to click on a URL for a trusted domain. Upon clicking on the malicious link, the victim will be presented with a download which appears to have originated from a trusted domain. Once downloaded, the malicious payload can execute arbitrary code and potentially completely take-over a system. This executable can be customized for the targeted system with a .bat file for Windows or a .sh file for Unix / Linux.

On January 20, 2019 twitter user with the handle pyn3rd, who has a history of posting proofs-of-concept (PoC) for vulnerabilities with web-based attack vectors, posted a PoC for this vulnerability to their twitter account.

On January 16, Spring released a series of patches that addressed and mitigate this vulnerability in the affected versions of Spring Framework. Users of version 5.2.x should upgrade to version 5.2.3, users of 5.1.x should upgrade to version 5.1.13 and users of version 5.0.x should upgrade to version 5.0.16.