Candidate: CVE-2020-5398
PublicDate: 2020-01-17 00:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5398
 https://pivotal.io/security/cve-2020-5398
Description:
 In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to
 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to
 a reflected file download (RFD) attack when it sets a "Content-Disposition"
 header in the response where the filename attribute is derived from user
 supplied input.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H [7.5 HIGH]


Patches_libspring-java:
upstream_libspring-java: needs-triage
precise/esm_libspring-java: DNE
trusty_libspring-java: ignored (out of standard support)
trusty/esm_libspring-java: needs-triage
xenial_libspring-java: ignored (end of standard support, was needs-triage)
bionic_libspring-java: needs-triage
disco_libspring-java: ignored (reached end-of-life)
eoan_libspring-java: ignored (reached end-of-life)
focal_libspring-java: needs-triage
groovy_libspring-java: ignored (reached end-of-life)
hirsute_libspring-java: ignored (reached end-of-life)
impish_libspring-java: needs-triage
jammy_libspring-java: needs-triage
devel_libspring-java: needs-triage