The filename, when specified without a charset, is quoted but not checked for the presence of any unquoted " characters. We should check for those and turn into a quoted-pair.
Comment From: eranation
Spring boot 2.0.x branch has no mitigation. (2.0.9.RELEASE is the latest and uses Spring 5.0.13, needs to be upgraded to 5.0.16, no?)
Comment From: snicoll
@eranation Spring Boot 2.0.x is EOL. If you are still using it, please upgrade as soon as possible to a supported version. In the meantime, you can set spring.version to 5.0.16.RELEASE to use a more recent maintenance release of that line.
Comment From: rstoyanchev
@rshanlever, please use the preferred channel for follow-up questions.
Comment From: RockyMM
To all affected in 4.3.x, this was solved by #24580 in 4.3.27. Security researchers (not Pivotal), please update the CVE report. 🙏
Comment From: rstoyanchev
@RockyMM it's worth pointing out that versions prior to 5.0 were never affected by CVE-2020-5398 and that is why they are not listed in the CVE report.
The affected ContentDisposition type which can be used for the "inline" and "attachment" types that a server can use to suggest a file name to a client did not exist prior to version 5.0. There were however methods for "Content-Disposition" in HttpHeaders but those are for "form-data" which is used to post data from a client to a server and hence a very different scenario. The change in #24580 was merely a minor improvement aimed at making the code consistent.