CVE-2016-5007
HIGHSpring Framework - Authorization Bypass via URL Pattern Matching Discrepancy
Title source: llmDescription
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/91687
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2016-5007
Vendor Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Scores
CVSS v3
7.5
EPSS
0.0015
EPSS Percentile
35.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-264
Status
published
Products (50)
org.springframework/spring-core
0 - 4.3.1Maven
org.springframework.security/spring-security-core
0 - 4.1.1Maven
Pivotal/Spring Framework
3.2.x
Pivotal/Spring Framework
4.0.x
Pivotal/Spring Framework
4.1.x
Pivotal/Spring Framework
4.2.x
Pivotal/Spring Framework
older unsupported versions are also affected
Pivotal/Spring Security
3.2.x
Pivotal/Spring Security
4.0.x
Pivotal/Spring Security
4.1.0
... and 40 more
Published
May 25, 2017
Tracked Since
Feb 18, 2026