7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
60.9%
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x,
4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for
mapping requests to controllers respectively. Differences in the strictness
of the pattern matching mechanisms, for example with regards to space
trimming in path segments, can lead Spring Security to not recognize
certain paths as not protected that are in fact mapped to Spring MVC
controllers that should be protected. The problem is compounded by the fact
that the Spring Framework provides richer features with regards to pattern
matching as well as by the fact that pattern matching in each Spring
Security and the Spring Framework can easily be customized creating
additional differences.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | libspring-java | < any | UNKNOWN |
ubuntu | 16.04 | noarch | libspring-java | < any | UNKNOWN |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
60.9%