Reflected File Download Affecting org.springframework:spring-web package, versions [3.2.0.RELEASE, 3.2.15.RELEASE) [4.0.0.RELEASE, 4.1.8.RELEASE) [4.2.0.RELEASE, 4.2.2.RELEASE)


0.0
high

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Scope Changed
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.28% (68th percentile)
Expand this section
NVD
9.6 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORK-30165
  • published 25 Dec 2016
  • disclosed 15 Oct 2015
  • credit Alvaro Muñoz

How to fix?

Upgrade org.springframework:spring-web to version 3.2.15.RELEASE, 4.1.8.RELEASE, 4.2.2.RELEASE or higher.

Overview

org.springframework:spring-web package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Reflected File Download via a crafted URL with a batch script extension, resulting in the response being downloaded rather than rendered.