-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: FIS 2.0
-
Fix Version/s: fuse-7.0
-
Component/s: FIS-Productization Pipeline
-
Epic Link:
-
Security Sensitive Issue:This issue is security relevant
Security Tracking Issue
Do not make this issue public.
This bug is subject to the Security Errata Policy.
The overall impact of the blocking security issue(s) is Important. Based on this impact, this bug must be resolved by 28-Feb-2018.
Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata
Flaw:
CVE-2018-1199 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources
https://bugzilla.redhat.com/show_bug.cgi?id=1540030
Spring Framework and Spring Security do not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint and access Spring MVC static resource URLs.
Affected versions include:
- Spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3 and 5.0
- Spring Framework 4.3.0 - 4.3.14, and 5.0.0 - 5.0.2
Older unmaintained versions of Spring Security and Spring Framework may also be affected.
External References:
https://pivotal.io/security/cve-2018-1199
Mitigation:
As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath.
- cloned to
-
-
- Closed
-
- is related to
-
-
- Closed
-
