Input validation

2017-05-2517:29:00

PRIOn knowledge base

www.prio-n.com

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

Low

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

67.6%

JSON

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

CPENameOperatorVersion
debian_linuxeq8.0
spring_frameworkeq3.2.2
spring_frameworkeq3.2.1
spring_frameworkeq3.2.8
spring_frameworkeq3.2.7
spring_frameworkeq3.2.10
spring_frameworkeq3.2.9
spring_frameworkeq3.2.4
spring_frameworkeq3.2.3
spring_frameworkeq3.2.6

Name	Operator	Version
debian_linux	eq	8.0
spring_framework	eq	3.2.2
spring_framework	eq	3.2.1
spring_framework	eq	3.2.8
spring_framework	eq	3.2.7
spring_framework	eq	3.2.10
spring_framework	eq	3.2.9
spring_framework	eq	3.2.4
spring_framework	eq	3.2.3
spring_framework	eq	3.2.6