| Vulnerability Name: | CVE-2018-1199 (CCN-138601) | ||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2017-12-06 | ||||||||||||||||||||||||||||||||||||||||
| Published: | 2018-01-29 | ||||||||||||||||||||||||||||||||||||||||
| Updated: | 2022-06-23 | ||||||||||||||||||||||||||||||||||||||||
| Summary: | Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed. | ||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2018-1199 Source: CCN Type: JVN#15643848 Spring Security and Spring Framework vulnerable to authentication bypass Source: REDHAT Type: Third Party Advisory RHSA-2018:2405 Source: XF Type: UNKNOWN pivotal-cve20181199-sec-bypass(138601) Source: MLIST Type: Mailing List, Third Party Advisory [activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) Source: MLIST Type: Mailing List, Third Party Advisory [activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar Source: MLIST Type: Mailing List, Third Party Advisory [activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar Source: CCN Type: Pivotal Web site CVE-2018-1199: Security bypass with static resources Source: CONFIRM Type: Vendor Advisory https://pivotal.io/security/cve-2018-1199 Source: CCN Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption) Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) Source: CCN Type: IBM Security Bulletin 6841803 (Cognos Controller) IBM Cognos Controller has addressed multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 6984347 (Engineering Requirements Management DOORS) IBM Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 Source: MISC Type: Third Party Advisory https://www.oracle.com/security-alerts/cpujul2020.html Source: CCN Type: WhiteSource Vulnerability Database CVE-2018-1199 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||