Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2016-5007

Published: 25/05/2017 Updated: 11/04/2022
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Vmware

Vulnerability Summary

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

vmware spring framework 3.2.6

vmware spring framework 3.2.7

vmware spring framework 3.2.8

vmware spring framework 3.2.15

vmware spring framework 3.2.16

vmware spring framework 4.0.4

vmware spring framework 4.0.5

vmware spring framework 4.1.3

vmware spring framework 4.1.4

vmware spring framework 4.2.1

vmware spring framework 4.2.2

vmware spring framework 4.2.9

vmware spring security 3.2.0

vmware spring security 3.2.8

vmware spring security 3.2.9

vmware spring security 4.1.0

vmware spring framework 3.2.4

vmware spring framework 3.2.5

vmware spring framework 3.2.13

vmware spring framework 3.2.14

vmware spring framework 4.0.2

vmware spring framework 4.0.3

pivotal software spring framework 4.1.0

vmware spring framework 4.1.1

vmware spring framework 4.1.2

vmware spring framework 4.1.9

pivotal software spring framework 4.2.0

vmware spring framework 4.2.7

vmware spring framework 4.2.8

vmware spring security 3.2.6

vmware spring security 3.2.7

vmware spring security 4.0.3

vmware spring security 4.0.4

vmware spring framework 3.2.2

vmware spring framework 3.2.3

vmware spring framework 3.2.11

vmware spring framework 3.2.12

pivotal software spring framework 4.0.0

vmware spring framework 4.0.1

vmware spring framework 4.0.8

vmware spring framework 4.0.9

vmware spring framework 4.1.7

vmware spring framework 4.1.8

vmware spring framework 4.2.5

vmware spring framework 4.2.6

vmware spring security 3.2.3

vmware spring security 3.2.4

vmware spring security 3.2.5

vmware spring security 4.0.1

vmware spring security 4.0.2

pivotal software spring framework 3.2.0

vmware spring framework 3.2.1

vmware spring framework 3.2.9

vmware spring framework 3.2.10

vmware spring framework 3.2.17

vmware spring framework 3.2.18

vmware spring framework 4.0.6

vmware spring framework 4.0.7

vmware spring framework 4.1.5

vmware spring framework 4.1.6

vmware spring framework 4.2.3

vmware spring framework 4.2.4

vmware spring security 3.2.1

vmware spring security 3.2.2

vmware spring security 3.2.10

vmware spring security 4.0.0

Vendor Advisories

Red Hat: CVE-2016-5007
It was found that differences in the strictness of Spring Security, and Spring Framework request mapping could lead to resources not being secured An attacker could use this flaw to bypass authentication ...
Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor Affected products and versions are listed below Please upgrade your version to the appropriate version ...

Github Repositories

https://github.com/audgks5551/springsecurity__2022_06_25

spring security

20220625 주의 사항 spring security 구현 방식이 변동 WebSecurityConfigurerAdapter => WebSecurityConfiguration 상속이 아니라 빈 구성을 통해 보안 설정함 WebSecurityConfiguration는 proxyBeanMethods를 false로 주어 매번 객체가 생성되게 되어있다 @Configuration( proxyBeanMethods = false ) public class WebSecurityConfiguration

References

CWE-264https://pivotal.io/security/cve-2016-5007http://www.securityfocus.com/bid/91687http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://nvd.nist.govhttps://github.com/audgks5551/springsecurity__2022_06_25https://access.redhat.com/security/cve/cve-2016-5007
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook