Page 2 of 7 results (0.013 seconds)

CVSS: 7.5EPSS: 0%CPEs: 28EXPL: 0

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. • http://www.securityfocus.com/bid/95142 https://access.redhat.com/errata/RHSA-2017:1832 https://pivotal.io/security/cve-2016-9879 https://access.redhat.com/security/cve/CVE-2016-9879 https://bugzilla.redhat.com/show_bug.cgi?id=1409838 • CWE-20: Improper Input Validation CWE-417: Communication Channel Errors •

CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. El ActiveDirectoryLdapAuthenticator en Spring Security versiones de la 3.2.0 a la 3.2.1 y de la 3.1.0 a la 3.1.5 no chequea la longitud de la contraseña. Si el directorio permite enlaces anónimos entonces podría autenticar de forma incorrecta a un usuario que proporcionase una contraseña vacía. • https://pivotal.io/security/cve-2014-0097 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-287: Improper Authentication •