Critical severity9.6NVD Advisory· Published May 25, 2017· Updated May 13, 2026
CVE-2015-5211
CVE-2015-5211
Description
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-coreMaven | >= 4.2.0, < 4.2.2 | 4.2.2 |
org.springframework:spring-coreMaven | >= 4.0.0, < 4.1.8 | 4.1.8 |
org.springframework:spring-coreMaven | < 3.2.15 | 3.2.15 |
Affected products
36cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Patches
303f547eb98682bd1daa75ee0a95c3d820dbcVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/nvdExploitTechnical Description
- github.com/advisories/GHSA-pgf9-h69p-pcgfghsaADVISORY
- lists.debian.org/debian-lts-announce/2019/07/msg00012.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-5211ghsaADVISORY
- pivotal.io/security/cve-2015-5211nvdVendor AdvisoryWEB
- github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3ghsaWEB
- github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543ghsaWEB
- github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402ghsaWEB
- www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-VectorghsaWEB
News mentions
0No linked articles in our index yet.