Vulnerability information for Spring Data Common and Spring Framework CVEs CVE-2018-1273 and CVE-2020-5398

• CVE - CVE-2018-1273 (mitre.org)
  • An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding that can lead to a remote code execution attack.
• CVE - CVE-2020-5398 (mitre.org)
  • An application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

DLP 15.8

DLP 16.0

Broadcom development has reviewed all DLP versions. DLP is NOT vulnerable to these CVEs:

• CVE-2018-1273
  • DLP does not use Spring for http communications and therefore is not impacted
• CVE-2020-5398
  • DLP does not use the org.springframework.http.ContentDisposition class and therefore is not impacted