CVE-2016-5007

Опубликовано: 25 мая 2017

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Ссылки

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.securityfocus.com/bid/91687
Third Party Advisory
VDB Entry
https://pivotal.io/security/cve-2016-5007
Vendor Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.securityfocus.com/bid/91687
Third Party Advisory
VDB Entry
https://pivotal.io/security/cve-2016-5007
Vendor Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:pivotal_software:spring_framework:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:pivotal_software:spring_framework:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*

cpe:2.3:a:pivotal_software:spring_framework:4.2.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.14:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.15:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.16:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.17:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:3.2.18:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.0.5:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.0.6:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.0.7:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.0.8:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.0.9:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.1.5:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.1.6:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.1.7:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.1.8:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.1.9:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.2.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.2.2:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.2.3:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.2.4:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.2.5:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.2.6:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.2.7:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.2.8:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_framework:4.2.9:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.2:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.3:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.4:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.5:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.6:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.7:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.8:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.9:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:3.2.10:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:vmware:spring_security:4.1.0:*:*:*:*:*:*:*

EPSS

Процентиль: 52%

0.00291

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-264

Связанные уязвимости

CVE-2016-5007

CVSS3: 7.5

ubuntu

около 8 лет назад

CVE-2016-5007

CVSS3: 5.3

redhat

почти 9 лет назад

CVE-2016-5007

CVSS3: 7.5

debian

около 8 лет назад

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2. ...

GHSA-8crv-49fr-2h6j

CVSS3: 7.5

github

больше 6 лет назад

Spring Security and Spring Framework may not recognize certain paths that should be protected

EPSS

Процентиль: 52%

0.00291

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-264