Bug 1353902 (CVE-2016-5007)

Summary: CVE-2016-5007 spring: Path matching inconsistency
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, aileenc, bmcclain, carnil, chazlett, dmcphers, eedri, java-sig-commits, jialiu, jokerman, jshepherd, lmeyer, lsurette, mgoldboi, michal.skrivanek, mmccomas, msrb, puntogil, sbonazzo, srevivo, tiwillia, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that differences in the strictness of Spring Security, and Spring Framework request mapping could lead to resources not being secured. An attacker could use this flaw to bypass authentication.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:54:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1353904, 1353905    
Bug Blocks: 1353906    

Description Adam Mariš 2016-07-08 11:27:59 UTC 
Both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. It was found that differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected.

Affected versions:

Spring Security 3.2.x, 4.0.x, 4.1.0
Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x
Other unsupported versions are also affected

Upstream patches:

https://github.com/spring-projects/spring-framework/commit/a30ab3
https://github.com/spring-projects/spring-security/commit/e4c13e

Upstream bug:

https://github.com/spring-projects/spring-security/issues/3964

External References:

https://pivotal.io/security/cve-2016-5007
Comment 1 Adam Mariš 2016-07-08 11:28:37 UTC 
Created springframework-security tracking bugs for this issue:

Affects: fedora-all [bug 1353905]
Comment 2 Adam Mariš 2016-07-08 11:28:48 UTC 
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1353904]
Comment 3 Salvatore Bonaccorso 2016-07-10 17:35:59 UTC 
Hi

There is a typo in the alias used for this bugzilla entry, I think it should be CVE-2016-5007. CVE-2015-5007 is an issue for IBM WebSphere Commerce.

HTH,

Salvatore
Comment 4 gil cattaneo 2016-07-12 08:39:07 UTC 
(In reply to Salvatore Bonaccorso from comment #3)
> Hi
> 
> There is a typo in the alias used for this bugzilla entry, I think it should
> be CVE-2016-5007. CVE-2015-5007 is an issue for IBM WebSphere Commerce.
> 
> HTH,
> 
> Salvatore

hi
websphere support is not available in spring packages. was removed by default
So these bugs are invalid for us?
Regards
.g
Comment 5 Jason Shepherd 2016-07-14 05:15:10 UTC 
This bug does not related to IBM Websphere. It only relates to Spring (Web), and Spring Security. There was as typo in the CVE name used for the flaw, it has now been updated to CVE-2016-5007