Apache · Apache Tomcat · CVE-2016-9879
**Name of the Vulnerable Software and Affected Versions**
Pivotal Spring Security versions 3.2.0 through 3.2.9
Pivotal Spring Security versions 4.0.x through 4.1.3
Pivotal Spring Security version 4.2.0
**Description**
An issue was discovered in Pivotal Spring Security where it does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for `getPathInfo()` and some do not. Spring Security uses the value returned by `getPathInfo()` as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat are not affected by this vulnerability since Tomcat strips path parameters from the value returned by `getContextPath()`, `getServletPath()`, and `getPathInfo()`. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.
**Recommendations**
For Pivotal Spring Security versions 3.2.0 through 3.2.9, upgrade to Spring Security 3.2.10 to reject the request with a `RequestRejectedException` if the presence of an encoded "/" is detected.
For Pivotal Spring Security versions 4.0.x through 4.1.3, upgrade to Spring Security 4.1.4 to reject the request with a `RequestRejectedException` if the presence of an encoded "/" is detected.
For Pivotal Spring Security version 4.2.0, upgrade to Spring Security 4.2.1 to reject the request with a `RequestRejectedException` if the presence of an encoded "/" is detected.
As a temporary workaround, consider using a Servlet container known not to include path parameters in the return values for `getServletPath()` and `getPathInfo()`.