Both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. It was found that differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. Affected versions: Spring Security 3.2.x, 4.0.x, 4.1.0 Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x Other unsupported versions are also affected Upstream patches: https://github.com/spring-projects/spring-framework/commit/a30ab3 https://github.com/spring-projects/spring-security/commit/e4c13e Upstream bug: https://github.com/spring-projects/spring-security/issues/3964 External References: https://pivotal.io/security/cve-2016-5007
Created springframework-security tracking bugs for this issue: Affects: fedora-all [bug 1353905]
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1353904]
Hi There is a typo in the alias used for this bugzilla entry, I think it should be CVE-2016-5007. CVE-2015-5007 is an issue for IBM WebSphere Commerce. HTH, Salvatore
(In reply to Salvatore Bonaccorso from comment #3) > Hi > > There is a typo in the alias used for this bugzilla entry, I think it should > be CVE-2016-5007. CVE-2015-5007 is an issue for IBM WebSphere Commerce. > > HTH, > > Salvatore hi websphere support is not available in spring packages. was removed by default So these bugs are invalid for us? Regards .g
This bug does not related to IBM Websphere. It only relates to Spring (Web), and Spring Security. There was as typo in the CVE name used for the flaw, it has now been updated to CVE-2016-5007