{"containers": {"cna": {"affected": [{"product": "Spring by Pivotal", "vendor": "Dell EMC", "versions": [{"status": "affected", "version": "spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3, 5.0.0"}, {"status": "affected", "version": "Spring Framework 5.0.0 - 5.0.2, 4.3.0 - 4.3.13"}, {"status": "affected", "version": "Older unmaintained versions of Spring Security & Spring Framework were not analyzed and may be impacted"}]}], "datePublic": "2018-01-29T00:00:00", "descriptions": [{"lang": "en", "value": "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed."}], "problemTypes": [{"descriptions": [{"description": "Security bypass with static", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-15T02:22:57", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "RHSA-2018:2405", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2405"}, {"name": "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2018-1199"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "DATE_PUBLIC": "2018-01-29T00:00:00", "ID": "CVE-2018-1199", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring by Pivotal", "version": {"version_data": [{"version_value": "spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3, 5.0.0"}, {"version_value": "Spring Framework 5.0.0 - 5.0.2, 4.3.0 - 4.3.13"}, {"version_value": "Older unmaintained versions of Spring Security & Spring Framework were not analyzed and may be impacted"}]}}]}, "vendor_name": "Dell EMC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Security bypass with static"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:2405", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2405"}, {"name": "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe@%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"name": "https://pivotal.io/security/cve-2018-1199", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2018-1199"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:48.970Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:2405", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2405"}, {"name": "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pivotal.io/security/cve-2018-1199"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1199", "datePublished": "2018-03-16T20:00:00Z", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2024-09-16T16:13:09.643Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "47399570-353A-40AC-B3C7-2E78232261DB", "versionEndExcluding": "4.3.14", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3AA57D0-0A3A-4B0C-B208-A5F272F722A8", "versionEndExcluding": "5.0.3", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "349CCF1E-320D-4411-98E4-B5B001376782", "versionEndExcluding": "4.1.5", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE8984CF-8B79-4267-B984-66817478638A", "versionEndExcluding": "4.2.4", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "B583A62A-EF04-4664-B8F5-57A02D833F75", "versionEndExcluding": "5.0.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*", "matchCriteriaId": "19A0F1AF-F2E6-44E7-8E2D-190E103B72D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*", "matchCriteriaId": "6D53690D-3390-4A27-988A-709CD89DD05B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "A0ED83E3-E6BF-4EAA-AF8F-33485A88A218", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed."}, {"lang": "es", "value": "Spring Security (Spring Security en versiones 4.1.x anteriores a la 4.1.5, versiones 4.2.x anteriores a la 4.2.4 y versiones 5.0.x anteriores a la 5.0.1; y Spring Framework en versiones 4.3.x anteriores a la 4.3.14 y versiones 5.0.x anteriores a la 5.0.3) no tiene en cuenta los par\u00e1metros de ruta de URL al procesar limitaciones de seguridad. Al a\u00f1adir un par\u00e1metro de ruta URL con codificaciones especiales, un atacante podr\u00eda ser capaz de omitir una limitaci\u00f3n de seguridad. La causa ra\u00edz de este problema es la falta de claridad con respecto a la gesti\u00f3n de los par\u00e1metros de ruta en Servlet Specification. Algunos contenedores de Servlet incluyen par\u00e1metros de ruta en el valor devuelto a getPathInfo(), pero otros no. Spring Security emplea el valor devuelto por getPathInfo() como parte del proceso de mapeo de peticiones a limitaciones de seguridad. En este ataque en concreto, las diferentes codificaciones de caracteres empleadas en los par\u00e1metros de ruta permiten la omisi\u00f3n de URL de recursos est\u00e1ticos seguros de Spring MVC."}], "id": "CVE-2018-1199", "lastModified": "2023-11-07T02:55:51.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-16T20:29:00.430", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2405"}, {"source": "security_alert@emc.com", "url": "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E"}, {"source": "security_alert@emc.com", "url": "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E"}, {"source": "security_alert@emc.com", "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E"}, {"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2018-1199"}, {"source": "security_alert@emc.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2018:2405", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "package": "spring", "product_name": "Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R7", "release_date": "2018-08-14T00:00:00Z"}], "bugzilla": {"description": "spring-framework: Improper URL path validation allows for bypassing of security checks on static resources", "id": "1540030", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1540030"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed."], "mitigation": {"lang": "en:us", "value": "As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath."}, "name": "CVE-2018-1199", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "springframework", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "spring", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Not affected", "package_name": "spring", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Not affected", "package_name": "spring", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "spring", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "spring", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:fuse_integration_services:2", "fix_state": "Affected", "package_name": "spring", "product_name": "Red Hat JBoss Fuse Integration Service 2"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "spring", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Not affected", "package_name": "spring", "product_name": "Red Hat JBoss Portal 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Not affected", "package_name": "spring", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "spring", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:3", "fix_state": "Not affected", "impact": "low", "package_name": "millicore", "product_name": "Red Hat OpenShift Enterprise 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhevm-dependencies", "product_name": "Red Hat Storage 3"}], "public_date": "2018-01-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1199\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1199\nhttps://pivotal.io/security/cve-2018-1199"], "threat_severity": "Important", "upstream_fix": "springframework-security 5.0.1, springframework-security 4.2.4, springframework-security 4.1.5, springframework 5.0.3, springframework 4.3.14"}