CVE-2015-5211
Reflected File Download (RFD) vulnerability in spring-core (Maven)
What is CVE-2015-5211 About?
This vulnerability is a Reflected File Download (RFD) attack in the Spring Framework, where a malicious URL can force a batch script to be downloaded instead of rendered. It allows an attacker to execute arbitrary code on the victim's machine, making it a high-impact but moderately complex exploit. The attack is initiated by persuading a user to click on a specially crafted link.
Affected Software
- org.springframework:spring-core
- >4.2.0, <4.2.2
- >4.0.0, <4.1.8
- <3.2.15
Technical Details
The Reflected File Download (RFD) attack occurs in specific configurations of the Spring Framework (versions 4.2.0-4.2.1, 4.0.0-4.1.7, 3.2.0-3.2.14, and older unsupported versions). A malicious user crafts a URL that includes a batch script extension (e.g., .bat, .cmd). When a victim accesses this URL, the server's response, which includes some user-supplied reflected input, is incorrectly handled by the browser. Instead of rendering the response content within the browser, the browser is tricked into downloading it as a file with the malicious batch script extension. Upon execution of the downloaded file by an unsuspecting user, the reflected input, now part of the script, is executed, leading to arbitrary code execution.
What is the Impact of CVE-2015-5211?
Successful exploitation may allow attackers to execute arbitrary code on the victim's system, leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2015-5211?
Exploitation requires social engineering to persuade a victim to click on a specially crafted malicious URL. There are no direct authentication or complex privilege requirements; local user interaction (executing the downloaded file) is the final step. The attack is remote, as the attacker crafts and distributes the malicious URL. The complexity is moderate, relying on specific browser and server response handling characteristics. The likelihood of exploitation increases if users are not trained to recognize suspicious downloads or if browsers have default behaviors that facilitate file execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-5211?
Available Upgrade Options
- org.springframework:spring-core
- <3.2.15 → Upgrade to 3.2.15
- org.springframework:spring-core
- >4.0.0, <4.1.8 → Upgrade to 4.1.8
- org.springframework:spring-core
- >4.2.0, <4.2.2 → Upgrade to 4.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/
- https://nvd.nist.gov/vuln/detail/CVE-2015-5211
- https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
- https://osv.dev/vulnerability/GHSA-pgf9-h69p-pcgf
- https://pivotal.io/security/cve-2015-5211
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector
- https://github.com/advisories/GHSA-pgf9-h69p-pcgf
- https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543
- https://pivotal.io/security/cve-2015-5211
What are Similar Vulnerabilities to CVE-2015-5211?
Similar Vulnerabilities: CVE-2014-8736 , CVE-2014-8737 , CVE-2015-0205 , CVE-2015-0206 , CVE-2016-5007
