CVE-2010-3700
Spring Security Security Constraint Bypass
Severity Score
5.0
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.
VMware SpringSource Spring Security v2.x anterior a v2.0.6 y v3.x anterior a v3.0.4, y Acegi Security v1.0.0 hasta v1.0.7, como el usado en IBM WebSphere Application Server (WAS) v6.1 y v7.0, permite a los atacantes remotos evitar las restricciones de seguridad a través de un parámetro de ruta.
Spring Security does not consider URL path parameters when processing security constraints. By adding an URL path parameter to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2010-10-01 CVE Reserved
- 2010-10-28 CVE Published
- 2023-04-29 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| http://osvdb.org/68931 | Vdb Entry | |
| http://secunia.com/advisories/42024 | Third Party Advisory | |
| http://www.securityfocus.com/archive/1/514517/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/44496 | Vdb Entry | |
| http://www.springsource.com/security/cve-2010-3700 | X_refsource_confirm | |
| https://issues.apache.org/bugzilla/show_bug.cgi?id=25015 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.0 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.0" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.0 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.0" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.1 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.1" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.1 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.1" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.2 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.2" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.2 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.2" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.3 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.3" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.3 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.3" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.4 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.4" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.4 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.4" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.5 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.5" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.5 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.5" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.6 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.6" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.6 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.6" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.7 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.7" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Acegisecurity Search vendor "Acegisecurity" | Acegi-security Search vendor "Acegisecurity" for product "Acegi-security" | 1.0.7 Search vendor "Acegisecurity" for product "Acegi-security" and version "1.0.7" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.0 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.0" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.0 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.0" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.1 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.1" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.1 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.1" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.2 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.2" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.2 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.2" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.3 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.3" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.3 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.3" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.4 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.4" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.4 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.4" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.5 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.5" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 2.0.5 Search vendor "Vmware" for product "Springsource Spring Security" and version "2.0.5" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 3.0.0 Search vendor "Vmware" for product "Springsource Spring Security" and version "3.0.0" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 3.0.0 Search vendor "Vmware" for product "Springsource Spring Security" and version "3.0.0" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 3.0.1 Search vendor "Vmware" for product "Springsource Spring Security" and version "3.0.1" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 3.0.1 Search vendor "Vmware" for product "Springsource Spring Security" and version "3.0.1" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 3.0.2 Search vendor "Vmware" for product "Springsource Spring Security" and version "3.0.2" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 3.0.2 Search vendor "Vmware" for product "Springsource Spring Security" and version "3.0.2" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 3.0.3 Search vendor "Vmware" for product "Springsource Spring Security" and version "3.0.3" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 6.1 Search vendor "Ibm" for product "Websphere Application Server" and version "6.1" | - |
Affected
|
| Vmware Search vendor "Vmware" | Springsource Spring Security Search vendor "Vmware" for product "Springsource Spring Security" | 3.0.3 Search vendor "Vmware" for product "Springsource Spring Security" and version "3.0.3" | - |
Affected
| in | Ibm Search vendor "Ibm" | Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server" | 7.0 Search vendor "Ibm" for product "Websphere Application Server" and version "7.0" | - |
Affected
|