CVE-2018-1199

Name of the Vulnerable Software and Affected Versions Spring Security versions 4.1.x through 4.1.4 Spring Security versions 4.2.x through 4.2.3 Spring Security versions 5.0.x through 5.0.0 Spring Framework versions 4.3.x through 4.3.13 Spring Framework versions 5.0.x through 5.0.2

Description The issue arises from the handling of URL path parameters in security constraints. By utilizing special encodings in URL path parameters, an attacker may bypass security constraints. This is due to the inconsistent handling of path parameters by different Servlet containers, which either include or exclude them from the value returned for getPathInfo(). As a result, secured Spring MVC static resource URLs can be bypassed using different character encodings in path parameters.

Recommendations For Spring Security versions 4.1.x through 4.1.4, update to version 4.1.5 or later. For Spring Security versions 4.2.x through 4.2.3, update to version 4.2.4 or later. For Spring Security versions 5.0.x through 5.0.0, update to version 5.0.1 or later. For Spring Framework versions 4.3.x through 4.3.13, update to version 4.3.14 or later. For Spring Framework versions 5.0.x through 5.0.2, update to version 5.0.3 or later.