CVE-2016-9879

Security: Improper handling of path parameters allows bypassing the security constraint

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.

Se descubrió un problema en Pivotal Spring Security en versiones anteriores a 3.2.10, 4.1.x en versiones anteriores a 4.1.4 y 4.2.x en versiones anteriores a 4.2.1. Spring Security no considera parámetros de ruta URL cuando procesa restricciones de seguridad. Añadiendo un parámetro de ruta URL con con un "/" codificado a una petición, un atacante podría ser capaz de eludir una restricción de seguridad. La causa principal de este problema es la falta de claridad en lo que se refiere al manejo de los parámetros de ruta en las Servlet Specification. Algunos contenedores Servlet incluyen parámetros de ruta en el valor devuelto para getPathInfo() y otros no. Spring Security utiliza el valor devuelto por getPathInfo() como parte del proceso de mapeo de peticiones a las restricciones de seguridad. La presencia inesperada de parámetros de ruta puede provocar que una restricción sea eludida. Los usuarios de Apache Tomcat (todas las versiones actuales) no están afectados por esta vulnerabilidad ya que Tomcat sigue la guía proporcionada previamente por el grupo Servlet Expert y elimina los parámetros de ruta del valor devuelto por getContextPath(), getServletPath() y getPathInfo(). Usuarios de otros contenedores Servlet basados en Apache Tomcat podrían o no estar afectados dependiendo en si el manejo de los parámetros ha sido modificado. Se sabe que los Usuarios de IBM WebSphere Application Server 8.5.x están afectados. Usuarios de otros contenedores que implementan la especificación Servlet podrían estar afectados.

It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-12-06 CVE Reserved
2017-01-06 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-417: Communication Channel Errors

CAPEC

References (5)

URL	Tag	Source
http://www.securityfocus.com/bid/95142	Vdb Entry

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2017:1832	2021-06-08
https://pivotal.io/security/cve-2016-9879	2021-06-08
https://access.redhat.com/security/cve/CVE-2016-9879	2017-08-10
https://bugzilla.redhat.com/show_bug.cgi?id=1409838	2017-08-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.0 Search vendor "Vmware" for product "Spring Security" and version "3.2.0"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.1 Search vendor "Vmware" for product "Spring Security" and version "3.2.1"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.2 Search vendor "Vmware" for product "Spring Security" and version "3.2.2"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.3 Search vendor "Vmware" for product "Spring Security" and version "3.2.3"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.4 Search vendor "Vmware" for product "Spring Security" and version "3.2.4"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.5 Search vendor "Vmware" for product "Spring Security" and version "3.2.5"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.6 Search vendor "Vmware" for product "Spring Security" and version "3.2.6"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.7 Search vendor "Vmware" for product "Spring Security" and version "3.2.7"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.8 Search vendor "Vmware" for product "Spring Security" and version "3.2.8"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				3.2.9 Search vendor "Vmware" for product "Spring Security" and version "3.2.9"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				4.1.0 Search vendor "Vmware" for product "Spring Security" and version "4.1.0"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				4.1.1 Search vendor "Vmware" for product "Spring Security" and version "4.1.1"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				4.1.2 Search vendor "Vmware" for product "Spring Security" and version "4.1.2"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				4.1.3 Search vendor "Vmware" for product "Spring Security" and version "4.1.3"		-		Affected
Vmware Search vendor "Vmware"		Spring Security Search vendor "Vmware" for product "Spring Security"				4.2.0 Search vendor "Vmware" for product "Spring Security" and version "4.2.0"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.0.0 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.0.0"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.0.1 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.0.1"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.0.2 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.0.2"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.0 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.0"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.1 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.1"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.2 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.2"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.3 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.3"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.4 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.4"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.5 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.5"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.6 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.6"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.7 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.7"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.8 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.8"		-		Affected
Ibm Search vendor "Ibm"		Websphere Application Server Search vendor "Ibm" for product "Websphere Application Server"				8.5.5.9 Search vendor "Ibm" for product "Websphere Application Server" and version "8.5.5.9"		-		Affected