CVE-2012-5055 – Security: Ability to determine if username is valid via DaoAuthenticationProvider
https://notcve.org/view.php?id=CVE-2012-5055
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests. DaoAuthenticationProvider en VMware SpringSource Spring Security antes de v2.0.8, v3.0.x antes de v3.0.8, y v3.1.x antes de v3.1.3 no comprueba la contraseña si el usuario no se encuentra, lo que hace que la respuesta de retardo sea menor y podría permitir a atacantes remotos para enumerar los nombres de usuario válidos a través de una serie de solicitudes de inicio de sesión. • http://support.springsource.com/security/CVE-2012-5055 https://access.redhat.com/security/cve/CVE-2012-5055 https://bugzilla.redhat.com/show_bug.cgi?id=886031 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2011-2731
https://notcve.org/view.php?id=CVE-2011-2731
Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread. Condición de carrera en el mecanismo RunAsManager en Mware SpringSource Spring Security antes de v2.0.7 y v3.0.x antes de v3.0.6 almacena el objeto Authentication en el contexto de seguridad compartida, lo que permite a atacantes remotos ganar privilegios a través de un hilo manipulado. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814 http://secunia.com/advisories/55155 http://support.springsource.com/security/cve-2011-2731 http://www.securitytracker.com/id/1029151 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2011-2894 – Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization
https://notcve.org/view.php?id=CVE-2011-2894
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. Spring Framework v3.0.0 hasta la v3.0.5, v3.0.0 hasta la de Spring Security v3.0.5 y v2.0.0 y v2.0.6, y posiblemente otras versiones permite des-serializar objetos de fuentes no fiables, lo que permite a atacantes remotos eludir las restricciones de seguridad existentes y permite la ejecución de código no seguro (1) serializando una instancia de java.lang.Proxy y mediante el uso de InvocationHandler, o (2) accediendo a las interfaces internas AOP, como se demuestra con la des-serialización de una instancia de DefaultListableBeanFactory para ejecutar código arbitrario a través de la clase java.lang.Runtime. • http://osvdb.org/75263 http://securityreason.com/securityalert/8405 http://www.redhat.com/support/errata/RHSA-2011-1334.html http://www.securityfocus.com/archive/1/519593/100/0/threaded http://www.securityfocus.com/bid/49536 http://www.springsource.com/security/cve-2011-2894 https://exchange.xforce.ibmcloud.com/vulnerabilities/69687 https://web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894 https://access.redhat.com/security/cve/CVE-2011-2894 • CWE-502: Deserialization of Untrusted Data •
CVE-2011-2732 – Spring Security - HTTP Header Injection
https://notcve.org/view.php?id=CVE-2011-2732
CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter. Vulnerabilidad de inyección de secuencias CRLF en la funcionalidad de logout en VMware SpringSource Spring Security antes de v2.0.7 y v3.0.x antes de v3.0.6 permite a atacantes remotos inyectar cabeceras HTTP de su elección y llevar a cabo ataques de división de respuesta HTTP a través del parámetro spring-security-redirect. Spring Security allows the use of a parameter (named "spring-security-redirect" by default) to determine the location URL to which a user will be redirected after logging in. This will normally be submitted as part of the login request, so is deemed to be an acceptable use of remote supplied data. However, the functionality is in a base class which is also shared by logout code, so a logout URL could be maliciously constructed to contain a version of this parameter which contained CRLF characters in order to inject additional headers or split the response. • https://www.exploit-db.com/exploits/36130 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814 http://support.springsource.com/security/cve-2011-2732 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2010-3700 – Spring Security Security Constraint Bypass
https://notcve.org/view.php?id=CVE-2010-3700
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter. VMware SpringSource Spring Security v2.x anterior a v2.0.6 y v3.x anterior a v3.0.4, y Acegi Security v1.0.0 hasta v1.0.7, como el usado en IBM WebSphere Application Server (WAS) v6.1 y v7.0, permite a los atacantes remotos evitar las restricciones de seguridad a través de un parámetro de ruta. Spring Security does not consider URL path parameters when processing security constraints. By adding an URL path parameter to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). • http://osvdb.org/68931 http://secunia.com/advisories/42024 http://www.securityfocus.com/archive/1/514517/100/0/threaded http://www.securityfocus.com/bid/44496 http://www.springsource.com/security/cve-2010-3700 https://issues.apache.org/bugzilla/show_bug.cgi?id=25015 • CWE-264: Permissions, Privileges, and Access Controls •