CVE-2016-5007
Last modified
CVE-2016-5007 is a vulnerability of currently unknown severity. Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. EPSS estimates a 2.78% chance of exploitation in the next 30 days.
Description
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Spring Framework | 3.2.0 |
| Pivotal Software | Spring Framework | 4.0.0 |
| Pivotal Software | Spring Framework | 4.1.0 |
| Pivotal Software | Spring Framework | 4.2.0 |
| Vmware | Spring Framework | 3.2.1 |
| Vmware | Spring Framework | 3.2.2 |
| Vmware | Spring Framework | 3.2.3 |
| Vmware | Spring Framework | 3.2.4 |
| Vmware | Spring Framework | 3.2.5 |
| Vmware | Spring Framework | 3.2.6 |
| Vmware | Spring Framework | 3.2.7 |
| Vmware | Spring Framework | 3.2.8 |
| Vmware | Spring Framework | 3.2.9 |
| Vmware | Spring Framework | 3.2.10 |
| Vmware | Spring Framework | 3.2.11 |
| Vmware | Spring Framework | 3.2.12 |
| Vmware | Spring Framework | 3.2.13 |
| Vmware | Spring Framework | 3.2.14 |
| Vmware | Spring Framework | 3.2.15 |
| Vmware | Spring Framework | 3.2.16 |
| Vmware | Spring Framework | 3.2.17 |
| Vmware | Spring Framework | 3.2.18 |
| Vmware | Spring Framework | 4.0.1 |
| Vmware | Spring Framework | 4.0.2 |
| Vmware | Spring Framework | 4.0.3 |
| Vmware | Spring Framework | 4.0.4 |
| Vmware | Spring Framework | 4.0.5 |
| Vmware | Spring Framework | 4.0.6 |
| Vmware | Spring Framework | 4.0.7 |
| Vmware | Spring Framework | 4.0.8 |
| Vmware | Spring Framework | 4.0.9 |
| Vmware | Spring Framework | 4.1.1 |
| Vmware | Spring Framework | 4.1.2 |
| Vmware | Spring Framework | 4.1.3 |
| Vmware | Spring Framework | 4.1.4 |
| Vmware | Spring Framework | 4.1.5 |
| Vmware | Spring Framework | 4.1.6 |
| Vmware | Spring Framework | 4.1.7 |
| Vmware | Spring Framework | 4.1.8 |
| Vmware | Spring Framework | 4.1.9 |
| Vmware | Spring Framework | 4.2.1 |
| Vmware | Spring Framework | 4.2.2 |
| Vmware | Spring Framework | 4.2.3 |
| Vmware | Spring Framework | 4.2.4 |
| Vmware | Spring Framework | 4.2.5 |
| Vmware | Spring Framework | 4.2.6 |
| Vmware | Spring Framework | 4.2.7 |
| Vmware | Spring Framework | 4.2.8 |
| Vmware | Spring Framework | 4.2.9 |
| Vmware | Spring Security | 3.2.0 |
Showing 50 of 66 affected configurations. See NVD for the full list.
References
- http://www.securityfocus.com/bid/91687Third Party Advisory, VDB Entry
- https://pivotal.io/security/cve-2016-5007Vendor Advisory
- http://www.securityfocus.com/bid/91687Third Party Advisory, VDB Entry
- https://pivotal.io/security/cve-2016-5007Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-5007?
How severe is CVE-2016-5007?
How do I fix CVE-2016-5007?
Are you affected by CVE-2016-5007?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST