CVE-2015-5211

high-risk
Published 2017-05-25

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Do I need to act?

~
1.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.6/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Debian Vmware

References (6)

Mailing List https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
Vendor Advisory https://pivotal.io/security/cve-2015-5211
Exploit https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-...
Mailing List https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
Vendor Advisory https://pivotal.io/security/cve-2015-5211
Exploit https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-...
60
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 5/34 · Minimal
Exposure 23/34 · High