CVE-2020-5398: Download of Code Without Integrity Check

January 17, 2020 (updated December 10, 2021)

In Spring Framework, an application is vulnerable to a reflected file download (RFD) attack when it sets a Content-Disposition header in the response where the filename attribute is derived from user supplied input.

References

nvd.nist.gov/vuln/detail/CVE-2020-5398
pivotal.io/security/cve-2020-5398

Detect and mitigate CVE-2020-5398 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →