Vulnerability Details CVE-2015-5211
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.023
EPSS Ranking 84.1%
CVSS Severity
CVSS v3 Score 9.6
CVSS v2 Score 9.3
References
- https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
- https://pivotal.io/security/cve-2015-5211
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/
- https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
- https://pivotal.io/security/cve-2015-5211
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/
Products affected by CVE-2015-5211
-
cpe:2.3:a:vmware:spring_framework:3.2.0
-
cpe:2.3:a:vmware:spring_framework:3.2.1
-
cpe:2.3:a:vmware:spring_framework:3.2.10
-
cpe:2.3:a:vmware:spring_framework:3.2.11
-
cpe:2.3:a:vmware:spring_framework:3.2.12
-
cpe:2.3:a:vmware:spring_framework:3.2.13
-
cpe:2.3:a:vmware:spring_framework:3.2.14
-
cpe:2.3:a:vmware:spring_framework:3.2.2
-
cpe:2.3:a:vmware:spring_framework:3.2.3
-
cpe:2.3:a:vmware:spring_framework:3.2.4
-
cpe:2.3:a:vmware:spring_framework:3.2.5
-
cpe:2.3:a:vmware:spring_framework:3.2.6
-
cpe:2.3:a:vmware:spring_framework:3.2.7
-
cpe:2.3:a:vmware:spring_framework:3.2.8
-
cpe:2.3:a:vmware:spring_framework:3.2.9
-
cpe:2.3:a:vmware:spring_framework:4.0.0
-
cpe:2.3:a:vmware:spring_framework:4.0.1
-
cpe:2.3:a:vmware:spring_framework:4.0.2
-
cpe:2.3:a:vmware:spring_framework:4.0.3
-
cpe:2.3:a:vmware:spring_framework:4.0.4
-
cpe:2.3:a:vmware:spring_framework:4.0.5
-
cpe:2.3:a:vmware:spring_framework:4.0.6
-
cpe:2.3:a:vmware:spring_framework:4.0.7
-
cpe:2.3:a:vmware:spring_framework:4.0.8
-
cpe:2.3:a:vmware:spring_framework:4.0.9
-
cpe:2.3:a:vmware:spring_framework:4.1.0
-
cpe:2.3:a:vmware:spring_framework:4.1.1
-
cpe:2.3:a:vmware:spring_framework:4.1.2
-
cpe:2.3:a:vmware:spring_framework:4.1.3
-
cpe:2.3:a:vmware:spring_framework:4.1.4
-
cpe:2.3:a:vmware:spring_framework:4.1.5
-
cpe:2.3:a:vmware:spring_framework:4.1.6
-
cpe:2.3:a:vmware:spring_framework:4.1.7
-
cpe:2.3:a:vmware:spring_framework:4.2.0
-
cpe:2.3:a:vmware:spring_framework:4.2.1
-
cpe:2.3:o:debian:debian_linux:8.0