VYPR
Critical severity9.6NVD Advisory· Published May 25, 2017· Updated Jun 17, 2026

CVE-2015-5211

CVE-2015-5211

Description

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework:spring-coreMaven
>= 4.2.0, < 4.2.24.2.2
org.springframework:spring-coreMaven
>= 4.0.0, < 4.1.84.1.8
org.springframework:spring-coreMaven
< 3.2.153.2.15

Affected products

37
  • cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*+ 34 more
    • cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.14:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • ghsa-coords
    Range: >= 4.2.0, < 4.2.2

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.