CVE-2018-1199

Impact:
Important
Public Date:
2018-01-29
CWE:
CWE-20
Bugzilla:
1540030: CVE-2018-1199 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources

The MITRE CVE dictionary describes this issue as:

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Find out more about CVE-2018-1199 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Fuse 6.3 RHSA-2018:2405 2018-08-14

Affected Packages State

Platform Package State
Red Hat OpenStack Platform 9.0 opendaylight Will not fix
Red Hat OpenStack Platform 12.0 opendaylight Will not fix
Red Hat OpenStack Platform 11.0 (Ocata) opendaylight Will not fix
Red Hat OpenStack Platform 10 opendaylight Will not fix
Red Hat OpenShift Enterprise 3 millicore Not affected
Red Hat Mobile Application Platform On-Premise 4 spring Not affected
Red Hat JBoss Web Server 3 tomcat Not affected
Red Hat JBoss Portal Platform 6 spring Not affected
Red Hat JBoss Fuse Service Works 6 spring Not affected
Red Hat JBoss Fuse 7 spring Affected
Red Hat JBoss Enterprise SOA Platform 5 spring Not affected
Red Hat JBoss EWS 2 tomcat Not affected
Red Hat JBoss EAP 7 undertow Not affected
Red Hat JBoss EAP 6 jbossweb Not affected
Red Hat JBoss EAP 5 jbossweb Not affected
Red Hat JBoss Data Virtualization 6 spring Not affected
Red Hat JBoss BRMS 5 spring Not affected
Red Hat JBoss A-MQ 6 spring Not affected
Red Hat Gluster Storage 3 rhevm-dependencies Not affected
Red Hat Enterprise Linux 8 springframework Not affected

Mitigation

As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation