A header injection flaw was found in the way the Spring Security tool processed the value of 'spring-security-redirect' parameter by user logout. A remote attacker could provide a specially-crafted URL, which once visited by a valid Spring Security tool user, could allow the attacker inject additional HTTP headers or split the response. References: [1] http://www.securityfocus.com/archive/1/519592/30/0/threaded [2] http://www.springsource.com/security/cve-2011-2732
Sample PoC (from [1]): ======================= <quote> Example: A logout link such as /mywebapp/logout/spring-security-redirect=%0d%0a%20NewHeader%3ainjectedV alue could be used to inject the header NewHeader:InjectedValue to the response </quote>
Statement: Not vulnerable. This issue affects the Spring Security package, which is not shipped with any Red Hat products.