CVE-2016-5007

Published May 25, 2017
Last updated 3 years ago
CVSS high 7.5
Overview

Description: Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
Source: security_alert@emc.com
NVD status: Modified
Risk scores

CVSS 3.0

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: HIGH
CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:N/I:P/A:N
Weaknesses

nvd@nist.gov: CWE-264
Hype score: Not currently trending
Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_framework:3.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E02D9007-1215-4FD1-822A-BA95748E75D8"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_framework:4.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1C04E981-6FF9-4842-912B-EB5D3E9E7A68"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "01D83EE4-F71B-4186-A34E-9128B6DA333B"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_framework:4.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4CA248FC-6343-4A67-BFF8-A2DC07331B46"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D2E2EA60-735E-431E-BEFE-DC5C1046E532"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DFD1FA92-7BFC-4874-89FC-BE0F378F0DB3"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7CC0E26F-2E8B-4B30-8C43-8BD2015EBB88"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3CB73406-5FE4-438E-BCB7-57FBF6EC38D0"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B76F06BC-F53E-4E37-B84F-3E992D459A49"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DD8CC0CF-61DE-4E3A-80DD-4AD34EBDF419"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "09D49870-9E17-4049-9ABB-311C319A0E8F"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB9CE889-FBC5-4078-ABAC-8BC6CA235D04"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AF34B57A-9732-44C8-9EC7-07394FB588F8"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C528FEA9-2E5E-413B-89C1-F14C67059702"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8C7EA42F-55C6-4934-8F60-98B7717188D2"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E1DA44C3-D083-4584-8ACC-73B234767669"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1D6399F2-B9D6-4097-89DB-5F4B434DFFD3"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.14:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BD49BDC0-3431-43CF-8FF0-4A159238991B"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.15:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3F3B36EB-205A-4173-AD67-C1C42117640F"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.16:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C4302B7F-458C-43BD-A42D-D690C7884D0E"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.17:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0A187E52-6C33-4525-8A17-083BC9273638"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:3.2.18:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "279031C4-C398-4DEE-9BFF-F13483210585"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A0A0C100-FAD1-4004-AA42-AE508F4D540E"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.0.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BE8D78C3-5C4D-4FAD-BC0F-1AD8C55D88F2"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.0.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BDB13067-D890-414E-B7CD-A3C11A1DBC9F"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.0.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0AA135B9-819D-4FAF-8F98-EA4549575327"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.0.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1561FC1D-14AD-4FFB-9F46-C7CC47E04C6D"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.0.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "06A86A8F-B9E0-4766-8F49-BC520E190CC4"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.0.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4A0A67CF-ECC3-4EDF-84D0-745E26BB508F"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.0.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "15BD140A-92B8-4DEA-8747-8C28E812D7BF"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.0.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "88C8E417-A8F7-42D2-BD71-178AD4192DDF"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CC1A4DB1-083B-4AAB-B1A2-CFFD487A1FBF"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "53D5991E-2CD0-42D9-8158-25FF18275B21"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "130DBD54-EF87-4A90-A727-F2BFFBF2DFA2"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FDB59905-C658-4EFD-B073-FE84F0BF1DDB"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B9382948-689D-40CD-ADC8-E41BB1F02D5B"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2D269ABA-5E23-4F3D-B999-C51B2494EE01"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F3BEAAF2-E45F-4F52-9A2A-BF1BBDA4D2E2"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "13B166FA-BA66-429C-AC17-88E2E9B1B86E"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FDD20D20-754C-482A-A8BD-54E612291840"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F2DF06FD-CFEE-4B60-8058-B44569BE8BE5"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.2.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "06C17886-44CA-4B3E-970A-94383E9A4043"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.2.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "00BAC01A-9C49-46B0-B71F-D4940DAE2A7C"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.2.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D906B4B9-4881-4A13-B4CA-60DCF1FA8840"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.2.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C1E80958-4357-4AED-96F1-4D137F3E02BC"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.2.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F3A6AB95-34DC-4A7D-B35D-1B4388EB49A7"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.2.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FE93D33E-984A-4E71-A7E3-453EE0BC2064"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.2.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6366E283-0EED-41CD-9386-CE658AD949C4"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:4.2.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B3A07937-4F4F-4655-9160-C6284192A896"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EFD426B7-885E-4C37-BA39-9877BB10685F"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D32668E1-4839-474C-A97D-0A485BF3CE04"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CF0DADB2-8D42-4592-9433-2941E3D57F95"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C97588A1-B874-41F2-871E-BD3D5057FAC0"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "00D3C6A3-4C51-4B2D-867A-A17B3AA39A19"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B2D23169-794F-42BB-A03A-D6451756445B"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AE534FC0-0589-4DDA-9B5F-9ECD0BE5BE5C"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D9E33A46-01D0-4EA0-997F-6EAE4342C422"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F9A0E838-84BB-4AE8-A673-CF6F18239B36"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9FAD6EE1-7E45-46A9-8B08-D08800E57980"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:3.2.10:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8A32994D-80A3-4374-A43A-FBFBF7E43FA2"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:4.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D6EB9ACE-2DB9-4172-865E-3959DB978A38"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:4.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3514666E-9BC2-4A85-90D1-F21043B1194B"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:4.0.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EFFE8B4B-DE5E-4371-979F-2B9082E51BEE"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:4.0.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A98DAA63-459D-4CAA-A77F-AC7B476B2820"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:4.0.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DBD6D5D7-84B8-452A-9567-78F54D6AD363"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_security:4.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D4DC74CB-3FE2-436C-8F3B-6C607B1C868F"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]
Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References
