Clément Notin

**Name of the Vulnerable Software and Affected Versions** Spring Security versions 3.2.x through 4.1.0 Spring Framework versions 3.2.x through 4.2.x **Description** The issue arises from differences in the strictness of URL pattern matching mechanisms between Spring Security and the Spring Framework, which can lead to certain paths not being recognized as protected even though they are mapped to Spring MVC controllers that should be protected. This problem is further complicated by the richer features of the Spring Framework regarding pattern matching and the ease of customization of pattern matching in both Spring Security and the Spring Framework. **Recommendations** For Spring Security versions 3.2.x through 4.1.0, consider updating the configuration to align the pattern matching mechanisms with those of the Spring Framework to ensure consistent protection of paths. For Spring Framework versions 3.2.x through 4.2.x, review and adjust the URL pattern mappings to ensure that all paths intended to be protected are correctly recognized by Spring Security. As a temporary workaround, consider restricting access to sensitive controllers and paths until a more comprehensive solution can be implemented.