Bug 1578582 (CVE-2018-1258)

Summary: CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, chazlett, dblechte, drieden, eedri, hghasemb, java-sig-commits, lsurette, mgoldboi, michal.skrivanek, puntogil, Rhev-m-bugs, sbonazzo, sherold, srevivo, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-framework 5.0.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:23:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1578937    
Bug Blocks: 1578941    

Description Laura Pardo 2018-05-15 22:23:19 UTC 
A flaw was found in Spring Security in combination with Spring Framework versions prior to 5.0.6 contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.


References:
https://pivotal.io/security/cve-2018-1258
Comment 1 Laura Pardo 2018-05-16 16:24:21 UTC 
Created springframework-security tracking bugs for this issue:

Affects: fedora-all [bug 1578937]
Comment 3 Hooman Broujerdi 2018-05-21 23:01:11 UTC 
Updating the flaw description: 

A flaw was found in Spring Security in combination with Spring Framework version 5.0.5.RELEASE only, contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
Comment 5 errata-xmlrpc 2019-08-08 10:08:35 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.4.0

Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413