Investigate vulnerability: Download of Code Without Integrity Check in org.springframework/spring-web

Description:

In Spring Framework, an application is vulnerable to a reflected file download (RFD) attack when it sets a Content-Disposition header in the response where the filename attribute is derived from user supplied input.

• Severity: high
• Confidence: unknown
• Location: pom.xml

Solution:

Upgrade to versions 5.0.16.RELEASE, 5.1.13.RELEASE, 5.2.3.RELEASE or above.

Identifiers:

• Gemnasium-e3fa8605-d6ee-4e62-97d8-8cd6b4b108dd
• CVE-2020-5398

Links:

• https://nvd.nist.gov/vuln/detail/CVE-2020-5398
• https://pivotal.io/security/cve-2020-5398