CVE-2018-1199
spring-framework: Improper URL path validation allows for bypassing of security checks on static resources
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Spring Security (Spring Security en versiones 4.1.x anteriores a la 4.1.5, versiones 4.2.x anteriores a la 4.2.4 y versiones 5.0.x anteriores a la 5.0.1; y Spring Framework en versiones 4.3.x anteriores a la 4.3.14 y versiones 5.0.x anteriores a la 5.0.3) no tiene en cuenta los parámetros de ruta de URL al procesar limitaciones de seguridad. Al añadir un parámetro de ruta URL con codificaciones especiales, un atacante podría ser capaz de omitir una limitación de seguridad. La causa raíz de este problema es la falta de claridad con respecto a la gestión de los parámetros de ruta en Servlet Specification. Algunos contenedores de Servlet incluyen parámetros de ruta en el valor devuelto a getPathInfo(), pero otros no. Spring Security emplea el valor devuelto por getPathInfo() como parte del proceso de mapeo de peticiones a limitaciones de seguridad. En este ataque en concreto, las diferentes codificaciones de caracteres empleadas en los parámetros de ruta permiten la omisión de URL de recursos estáticos seguros de Spring MVC.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-12-06 CVE Reserved
- 2018-03-16 CVE Published
- 2023-07-08 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (8)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:2405 | 2023-11-07 | |
| https://pivotal.io/security/cve-2018-1199 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2018-1199 | 2018-08-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1540030 | 2018-08-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vmware Search vendor "Vmware" | Spring Framework Search vendor "Vmware" for product "Spring Framework" | >= 4.3.0 < 4.3.14 Search vendor "Vmware" for product "Spring Framework" and version " >= 4.3.0 < 4.3.14" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Framework Search vendor "Vmware" for product "Spring Framework" | >= 5.0.0 < 5.0.3 Search vendor "Vmware" for product "Spring Framework" and version " >= 5.0.0 < 5.0.3" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Security Search vendor "Vmware" for product "Spring Security" | >= 4.1.0 < 4.1.5 Search vendor "Vmware" for product "Spring Security" and version " >= 4.1.0 < 4.1.5" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Security Search vendor "Vmware" for product "Spring Security" | >= 4.2.0 < 4.2.4 Search vendor "Vmware" for product "Spring Security" and version " >= 4.2.0 < 4.2.4" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Security Search vendor "Vmware" for product "Spring Security" | >= 5.0.0 < 5.0.1 Search vendor "Vmware" for product "Spring Security" and version " >= 5.0.0 < 5.0.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Fuse Search vendor "Redhat" for product "Fuse" | 1.0 Search vendor "Redhat" for product "Fuse" and version "1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rapid Planning Search vendor "Oracle" for product "Rapid Planning" | 12.1 Search vendor "Oracle" for product "Rapid Planning" and version "12.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rapid Planning Search vendor "Oracle" for product "Rapid Planning" | 12.2 Search vendor "Oracle" for product "Rapid Planning" and version "12.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 7.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "7.1" | - |
Affected
| ||||||