An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding that can lead to a remote code execution attack.
An application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
Environment
DLP 15.8
DLP 16.0
Resolution
Broadcom development has reviewed all DLP versions. DLP is NOT vulnerable to these CVEs:
CVE-2018-1273
DLP does not use Spring for http communications and therefore is not impacted
CVE-2020-5398
DLP does not use the org.springframework.http.ContentDisposition class and therefore is not impacted