Spring Framework Vulnerability Response (CVE-2020-5398) – Fischer Identity Support Center

To: All Fischer Customers

Publish Date: 4/30/2020

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header in the response where the filename attribute is derived from user supplied input.

The Fischer product is not affected by this vulnerability. In Fischer Identity version 7.4.X, Spring WEB is not used to serve content.

The following is true for our application:

The application does not set a “Content-Disposition” response header
The header is not prepared with org.springframework.http.ContentDisposition.

Although the Fischer product is not affected by this specific vulnerability, we will upgrade our third party dependencies, including this particular spring library in our next minor release 7.5.0.

If you have any questions regarding the vulnerability, please feel free to open a ticket and we’ll be happy to assist. You can also find more information about this specific vulnerability at https://tanzu.vmware.com/security/cve-2020-5398.