CVE-2020-5421: 
Java vulnerability analysis and mitigation

CVE-2020-5421 is a security vulnerability affecting Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions. The vulnerability was disclosed on September 17, 2020, and allows bypassing the Reflected File Download (RFD) attack protections that were previously implemented for CVE-2015-5211 through the use of a jsessionid path parameter (Spring Security).

The vulnerability allows bypassing the RFD attack protections depending on the browser used through the use of a jsessionid path parameter. This affects the Content-Disposition custom HTTP header implementation in Spring Framework (Apache Mail Archives).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information or addition or modification of data through RFD attacks (NetApp Security).

The vulnerability has been fixed in Spring Framework versions 5.2.9, 5.1.18, 5.0.19, and 4.3.29. Users should upgrade to these patched versions to mitigate the vulnerability (Spring Security).

The vulnerability was identified and responsibly reported by Keitaro Yamazaki of Ierae Security. Multiple organizations including Apache, Oracle and NetApp have released security advisories and patches for their affected products (Spring Security).