CVE-2015-5211: Improper Input Validation

October 17, 2018 (updated September 16, 2021)

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

References

github.com/advisories/GHSA-pgf9-h69p-pcgf
lists.debian.org/debian-lts-announce/2019/07/msg00012.html
nvd.nist.gov/vuln/detail/CVE-2015-5211
pivotal.io/security/cve-2015-5211
www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/

Detect and mitigate CVE-2015-5211 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →