Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2016-5007

Good to know:

icon
icon

Date: May 25, 2017

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Language: Java

Severity Score

Related Resources (11)

https://nvd.nist.gov/vuln/detail/CVE-2016-5007
https://pivotal.io/security/cve-2016-5007
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://github.com/spring-projects/spring-security/commit/e4c13e3c0ee7f06f59d3b43ca6734215ad7d8974
https://github.com/spring-projects/spring-framework/commit/a30ab30e4e9ae021fdda04e9abfc228476b846b5
https://github.com/spring-projects/spring-security/issues/3964
http://www.securityfocus.com/bid/91687
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
https://github.com/advisories/GHSA-8crv-49fr-2h6j
https://www.mend.io/resources/blog/top-10-security-vulnerabilities-of-2017
https://www.mend.io/vulnerability-database/CVE-2016-5007

Severity Score

Weakness Type (CWE)

Permissions, Privileges, and Access Control

CWE-264

Top Fix

icon

Upgrade Version

Upgrade to version org.springframework:spring-webmvc:4.3.0.RELEASE,org.springframework.security:spring-security-web:4.1.1.RELEASE,org.springframework.security:spring-security-config:4.1.1.RELEASE

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us