Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-8456

CVE-2018-1199 spring: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fis-2.0]

    XMLWordPrintable

    Details

    • Epic Link:
    • Security Sensitive Issue:
      This issue is security relevant

      Description

      Security Tracking Issue

      Do not make this issue public.

      This bug is subject to the Security Errata Policy.

      The overall impact of the blocking security issue(s) is Important. Based on this impact, this bug must be resolved by 28-Feb-2018.

      Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata

      Flaw:


      CVE-2018-1199 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources
      https://bugzilla.redhat.com/show_bug.cgi?id=1540030

      Spring Framework and Spring Security do not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint and access Spring MVC static resource URLs.

      Affected versions include:

      • Spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3 and 5.0
      • Spring Framework 4.3.0 - 4.3.14, and 5.0.0 - 5.0.2

      Older unmaintained versions of Spring Security and Spring Framework may also be affected.

      External References:

      https://pivotal.io/security/cve-2018-1199

      Mitigation:

      As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  hooman_b2455 Hooman Broujerdi
                  Tester:
                  Lukáš Löwinger
                  Involved:
                  Hooman Broujerdi
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: