Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreIn Spring Framework, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.
Specifically, an application is vulnerable when all the following are true:
org.springframework.http.ContentDisposition.ContentDisposition.Builder#filename(String, Charset).An application is not vulnerable if any of the following is true:
org.springframework.http.ContentDisposition.ContentDisposition.Builder#filename(String), orContentDisposition.Builder#filename(String, ASCII)Spring Framework:
| Fix version | Availability |
|---|---|
| 6.2.8 | OSS |
| 6.1.21 | OSS |
| 6.0.29 | Enterprise Support Only |
No further mitigation steps are necessary.
This issue was responsibly reported by Jakob Linskeseder from the Dynatrace Security Team.
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy