CVE Vulnerabilities

CVE-2016-5007

Published: May 25, 2017 | Modified: Apr 11, 2022
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
4.3 MODERATE
AV:N/AC:M/Au:N/C:P/I:N/A:N
RedHat/V3
5.3 MODERATE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Ubuntu
MEDIUM

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Affected Software

Name Vendor Start Version End Version
Spring_framework Pivotal_software 3.2.0 (including) 3.2.0 (including)
Spring_framework Pivotal_software 4.0.0 (including) 4.0.0 (including)
Spring_framework Pivotal_software 4.1.0 (including) 4.1.0 (including)
Spring_framework Pivotal_software 4.2.0 (including) 4.2.0 (including)
Spring_framework Vmware 3.2.1 (including) 3.2.1 (including)
Spring_framework Vmware 3.2.2 (including) 3.2.2 (including)
Spring_framework Vmware 3.2.3 (including) 3.2.3 (including)
Spring_framework Vmware 3.2.4 (including) 3.2.4 (including)
Spring_framework Vmware 3.2.5 (including) 3.2.5 (including)
Spring_framework Vmware 3.2.6 (including) 3.2.6 (including)
Spring_framework Vmware 3.2.7 (including) 3.2.7 (including)
Spring_framework Vmware 3.2.8 (including) 3.2.8 (including)
Spring_framework Vmware 3.2.9 (including) 3.2.9 (including)
Spring_framework Vmware 3.2.10 (including) 3.2.10 (including)
Spring_framework Vmware 3.2.11 (including) 3.2.11 (including)
Spring_framework Vmware 3.2.12 (including) 3.2.12 (including)
Spring_framework Vmware 3.2.13 (including) 3.2.13 (including)
Spring_framework Vmware 3.2.14 (including) 3.2.14 (including)
Spring_framework Vmware 3.2.15 (including) 3.2.15 (including)
Spring_framework Vmware 3.2.16 (including) 3.2.16 (including)
Spring_framework Vmware 3.2.17 (including) 3.2.17 (including)
Spring_framework Vmware 3.2.18 (including) 3.2.18 (including)
Spring_framework Vmware 4.0.1 (including) 4.0.1 (including)
Spring_framework Vmware 4.0.2 (including) 4.0.2 (including)
Spring_framework Vmware 4.0.3 (including) 4.0.3 (including)
Spring_framework Vmware 4.0.4 (including) 4.0.4 (including)
Spring_framework Vmware 4.0.5 (including) 4.0.5 (including)
Spring_framework Vmware 4.0.6 (including) 4.0.6 (including)
Spring_framework Vmware 4.0.7 (including) 4.0.7 (including)
Spring_framework Vmware 4.0.8 (including) 4.0.8 (including)
Spring_framework Vmware 4.0.9 (including) 4.0.9 (including)
Spring_framework Vmware 4.1.1 (including) 4.1.1 (including)
Spring_framework Vmware 4.1.2 (including) 4.1.2 (including)
Spring_framework Vmware 4.1.3 (including) 4.1.3 (including)
Spring_framework Vmware 4.1.4 (including) 4.1.4 (including)
Spring_framework Vmware 4.1.5 (including) 4.1.5 (including)
Spring_framework Vmware 4.1.6 (including) 4.1.6 (including)
Spring_framework Vmware 4.1.7 (including) 4.1.7 (including)
Spring_framework Vmware 4.1.8 (including) 4.1.8 (including)
Spring_framework Vmware 4.1.9 (including) 4.1.9 (including)
Spring_framework Vmware 4.2.1 (including) 4.2.1 (including)
Spring_framework Vmware 4.2.2 (including) 4.2.2 (including)
Spring_framework Vmware 4.2.3 (including) 4.2.3 (including)
Spring_framework Vmware 4.2.4 (including) 4.2.4 (including)
Spring_framework Vmware 4.2.5 (including) 4.2.5 (including)
Spring_framework Vmware 4.2.6 (including) 4.2.6 (including)
Spring_framework Vmware 4.2.7 (including) 4.2.7 (including)
Spring_framework Vmware 4.2.8 (including) 4.2.8 (including)
Spring_framework Vmware 4.2.9 (including) 4.2.9 (including)
Spring_security Vmware 3.2.0 (including) 3.2.0 (including)
Spring_security Vmware 3.2.1 (including) 3.2.1 (including)
Spring_security Vmware 3.2.2 (including) 3.2.2 (including)
Spring_security Vmware 3.2.3 (including) 3.2.3 (including)
Spring_security Vmware 3.2.4 (including) 3.2.4 (including)
Spring_security Vmware 3.2.5 (including) 3.2.5 (including)
Spring_security Vmware 3.2.6 (including) 3.2.6 (including)
Spring_security Vmware 3.2.7 (including) 3.2.7 (including)
Spring_security Vmware 3.2.8 (including) 3.2.8 (including)
Spring_security Vmware 3.2.9 (including) 3.2.9 (including)
Spring_security Vmware 3.2.10 (including) 3.2.10 (including)
Spring_security Vmware 4.0.0 (including) 4.0.0 (including)
Spring_security Vmware 4.0.1 (including) 4.0.1 (including)
Spring_security Vmware 4.0.2 (including) 4.0.2 (including)
Spring_security Vmware 4.0.3 (including) 4.0.3 (including)
Spring_security Vmware 4.0.4 (including) 4.0.4 (including)
Spring_security Vmware 4.1.0 (including) 4.1.0 (including)
Libspring-java Ubuntu artful *
Libspring-java Ubuntu esm-apps/xenial *
Libspring-java Ubuntu esm-infra-legacy/trusty *
Libspring-java Ubuntu precise *
Libspring-java Ubuntu trusty *
Libspring-java Ubuntu trusty/esm *
Libspring-java Ubuntu wily *
Libspring-java Ubuntu xenial *
Libspring-java Ubuntu yakkety *
Libspring-java Ubuntu zesty *

References