What is CVE-2020-5398?

CVE-2020-5398 is a high-severity vulnerability in Spring Framework, classified under Cross-site Scripting. CVSS score: 8.0/10. Published 2020-01-16.

How severe is CVE-2020-5398?

High severity. CVSS v3 base score is 8.0 out of 10.

Is CVE-2020-5398 known to be exploited?

44 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Spring Framework

CVE-2020-5398

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in t…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.902 (99.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.0 (High). Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.

Affected products

Spring Framework — versions 5.0, 5.1, 5.2

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

Public proof-of-concept exploits

References

[camel-commits] 20200220 [camel] branch camel-2.25.x updated: Updating Spring due to CVE-2020-5398 (mailing-list, x_refsource_MLIST)
[geode-dev] 20200410 Proposal to bring GEODE-7970 to support/1.12 (mailing-list, x_refsource_MLIST)
[geode-dev] 20200410 Re: Proposal to bring GEODE-7970 to support/1.12 (mailing-list, x_refsource_MLIST)
[karaf-issues] 20200514 [jira] [Created] (KARAF-6721) Update Spring versions due to CVE-2020-5398 (mailing-list, x_refsource_MLIST)
[karaf-issues] 20200514 [jira] [Commented] (KARAF-6721) Update Spring versions due to CVE-2020-5398 (mailing-list, x_refsource_MLIST)
[karaf-commits] 20200514 [GitHub] [karaf] coheigea opened a new pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398 (mailing-list, x_refsource_MLIST)
[karaf-issues] 20200514 [jira] [Updated] (KARAF-6721) Update Spring versions due to CVE-2020-5398 (mailing-list, x_refsource_MLIST)
[karaf-commits] 20200514 [GitHub] [karaf] skitt commented on a change in pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398 (mailing-list, x_refsource_MLIST)
[karaf-commits] 20200514 [GitHub] [karaf] coheigea commented on a change in pull request #1118: KARAF-6721 - Update Spring versions due to CVE-2020-5398 (mailing-list, x_refsource_MLIST)
[karaf-issues] 20200517 [jira] [Updated] (KARAF-6721) Upgrade to Spring 5.1.14.RELEASE and 5.2.5.RELEASE due to CVE-2020-5398 (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2020-5398?: CVE-2020-5398 is a high-severity vulnerability in Spring Framework, classified under Cross-site Scripting. CVSS score: 8.0/10. Published 2020-01-16.
How severe is CVE-2020-5398?: High severity. CVSS v3 base score is 8.0 out of 10.
Is CVE-2020-5398 known to be exploited?: 44 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.