CVE-2011-2732

Vmware Springsource Spring Security < 2.0.6 - Code Injection

Title source: rule

Description

CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.

Exploits (2)

exploitdb WRITEUP VERIFIED

by David Mas · textremotemultiple

https://www.exploit-db.com/exploits/36130

View Code ZIP pw:eip

nomisec

by shoucheng3 · poc

https://github.com/shoucheng3/spring-projects__spring-security_CVE-2011-2732_2-0-6-RELEASE

View on nomisec

References (2)

[Issue Tracking] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814

[Vendor Advisory] http://support.springsource.com/security/cve-2011-2732

Scores

EPSS 0.0716

EPSS Percentile 91.6%

Details

CWE

CWE-94

Status published

Products (13)

org.springframework.security/spring-security-core 0 - 2.0.7Maven

vmware/springsource_spring_security 2.0.0

vmware/springsource_spring_security 2.0.1

vmware/springsource_spring_security 2.0.2

vmware/springsource_spring_security 2.0.3

vmware/springsource_spring_security 2.0.4

vmware/springsource_spring_security 2.0.5

vmware/springsource_spring_security 3.0.0

vmware/springsource_spring_security 3.0.1

vmware/springsource_spring_security 3.0.2

... and 3 more

Published Dec 05, 2012

Tracked Since Feb 18, 2026