cnvd - cnvd-2017-00041

cnvd-2017-00041

Vulnerability from cnvd

Title: Pivotal Spring Security安全绕过漏洞

Description:

Pivotal Software Spring Security是美国Pivotal Software公司的一套为基于Spring的应用程序提供说明性安全保护的安全框架。

Spring Security 3.2.0 - 3.2.9版本，4.0.x - 4.1.3 版本和 4.2.0版本存在安全绕过漏洞。攻击者可利用此漏洞绕过安全限制并执行未授权的行为，从而有助于进一步攻击。

Severity: 中

Patch Name: Pivotal Spring Security安全绕过漏洞的补丁

Patch Description:

Pivotal Software Spring Security是美国Pivotal Software公司的一套为基于Spring的应用程序提供说明性安全保护的安全框架。

Spring Security 3.2.0 - 3.2.9版本，4.0.x - 4.1.3 版本和 4.2.0版本存在安全绕过漏洞。攻击者可利用此漏洞绕过安全限制并执行未授权的操作，从而有助于进一步攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可联系供应商获得补丁信息： https://pivotal.io/security/cve-2016-9879

Reference: http://www.securityfocus.com/bid/95142

Impacted products

Name
['Pivotal Software Spring Security >=3.2.0，<=3.2.9', 'Pivotal Software Spring Security >=4.0.x，<=4.1.3', 'Pivotal Software Spring Security 4.2.0']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "95142"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-9879",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9879"
    }
  },
  "description": "Pivotal Software Spring Security\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4e00\u5957\u4e3a\u57fa\u4e8eSpring\u7684\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u8bf4\u660e\u6027\u5b89\u5168\u4fdd\u62a4\u7684\u5b89\u5168\u6846\u67b6\u3002\r\n\r\nSpring Security 3.2.0 - 3.2.9\u7248\u672c\uff0c4.0.x - 4.1.3 \u7248\u672c\u548c 4.2.0\u7248\u672c\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u5e76\u6267\u884c\u672a\u6388\u6743\u7684\u884c\u4e3a\uff0c\u4ece\u800c\u6709\u52a9\u4e8e\u8fdb\u4e00\u6b65\u653b\u51fb\u3002",
  "discovererName": "Shumpei Asahara \u0026 Yuji Ito from NTT DATA Corporation",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://pivotal.io/security/cve-2016-9879",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-00041",
  "openTime": "2017-01-03",
  "patchDescription": "Pivotal Software Spring Security\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4e00\u5957\u4e3a\u57fa\u4e8eSpring\u7684\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u8bf4\u660e\u6027\u5b89\u5168\u4fdd\u62a4\u7684\u5b89\u5168\u6846\u67b6\u3002\r\n\r\nSpring Security 3.2.0 - 3.2.9\u7248\u672c\uff0c4.0.x - 4.1.3 \u7248\u672c\u548c 4.2.0\u7248\u672c\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u5e76\u6267\u884c\u672a\u6388\u6743\u7684\u64cd\u4f5c\uff0c\u4ece\u800c\u6709\u52a9\u4e8e\u8fdb\u4e00\u6b65\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Pivotal Spring Security\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Pivotal Software Spring Security \u003e=3.2.0\uff0c\u003c=3.2.9",
      "Pivotal Software Spring Security  \u003e=4.0.x\uff0c\u003c=4.1.3",
      "Pivotal Software Spring Security  4.2.0"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/95142",
  "serverity": "\u4e2d",
  "submitTime": "2016-12-30",
  "title": "Pivotal Spring Security\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2016-9879 (GCVE-0-2016-9879)

Vulnerability from cvelistv5

Published

2017-01-06 22:00

Modified

2024-08-06 03:07

Severity ?

CWE

Encoded "/" in path variables

Summary

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.

References

▼	URL	Tags
	https://access.redhat.com/errata/RHSA-2017:1832	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/95142	vdb-entry, x_refsource_BID
	https://pivotal.io/security/cve-2016-9879	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1	Version: Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T03:07:30.183Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2017:1832",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:1832"
          },
          {
            "name": "95142",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/95142"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pivotal.io/security/cve-2016-9879"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1"
            }
          ]
        }
      ],
      "datePublic": "2017-01-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Encoded \"/\" in path variables",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "RHSA-2017:1832",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:1832"
        },
        {
          "name": "95142",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/95142"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pivotal.io/security/cve-2016-9879"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "ID": "CVE-2016-9879",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Encoded \"/\" in path variables"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2017:1832",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:1832"
            },
            {
              "name": "95142",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/95142"
            },
            {
              "name": "https://pivotal.io/security/cve-2016-9879",
              "refsource": "CONFIRM",
              "url": "https://pivotal.io/security/cve-2016-9879"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2016-9879",
    "datePublished": "2017-01-06T22:00:00",
    "dateReserved": "2016-12-06T00:00:00",
    "dateUpdated": "2024-08-06T03:07:30.183Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted