CVE-2016-9879

Name of the Vulnerable Software and Affected Versions Pivotal Spring Security versions 3.2.0 through 3.2.9 Pivotal Spring Security versions 4.0.x through 4.1.3 Pivotal Spring Security version 4.2.0

Description An issue was discovered in Pivotal Spring Security where it does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat are not affected by this vulnerability since Tomcat strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.

Recommendations For Pivotal Spring Security versions 3.2.0 through 3.2.9, upgrade to Spring Security 3.2.10 to reject the request with a RequestRejectedException if the presence of an encoded "/" is detected. For Pivotal Spring Security versions 4.0.x through 4.1.3, upgrade to Spring Security 4.1.4 to reject the request with a RequestRejectedException if the presence of an encoded "/" is detected. For Pivotal Spring Security version 4.2.0, upgrade to Spring Security 4.2.1 to reject the request with a RequestRejectedException if the presence of an encoded "/" is detected. As a temporary workaround, consider using a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo().