Bug 1578582 (CVE-2018-1258) - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security
Summary: CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1258
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1578937
Blocks: 1578941
TreeView+ depends on / blocked
 
Reported: 2018-05-15 22:23 UTC by Laura Pardo
Modified: 2021-10-04 06:39 UTC (History)
16 users (show)

Fixed In Version: spring-framework 5.0.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:23:02 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2413 0 None None None 2019-08-08 10:08:36 UTC

Description Laura Pardo 2018-05-15 22:23:19 UTC 
A flaw was found in Spring Security in combination with Spring Framework versions prior to 5.0.6 contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.


References:
https://pivotal.io/security/cve-2018-1258
Comment 1 Laura Pardo 2018-05-16 16:24:21 UTC 
Created springframework-security tracking bugs for this issue:

Affects: fedora-all [bug 1578937]
Comment 3 Hooman Broujerdi 2018-05-21 23:01:11 UTC 
Updating the flaw description: 

A flaw was found in Spring Security in combination with Spring Framework version 5.0.5.RELEASE only, contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
Comment 5 errata-xmlrpc 2019-08-08 10:08:35 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.4.0

Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413
Note You need to log in before you can comment on or make changes to this bug.