Fluid Attacks Database

Description

Affected versions of this package are vulnerable to Access Restriction Bypass. It does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	libspring-java	>=0 <4.3.14-1	4.3.14-1
debian 14	libspring-java	>=0 <4.3.14-1	4.3.14-1
debian 11	libspring-java	>=0 <4.3.14-1	4.3.14-1
debian 13	libspring-java	>=0 <4.3.14-1	4.3.14-1
maven	org.springframework.security:spring-security-core	>=4.2.0 <4.2.4 \|\| >=5.0.0 <5.0.1 \|\| >=4.1.0 <4.1.5	4.2.4, 5.0.1, 4.1.5
maven	org.springframework:spring-core	>=4.3.0 <4.3.14 \|\| >=5.0.0 <5.0.3	4.3.14, 5.0.3
maven	org.springframework.security:spring-security-config	>=4.1.0 <4.1.5 \|\| >=4.2.0 <4.2.4 \|\| >=5.0.0 <5.0.1	-
maven	org.springframework.security:spring-security-web	>=4.1.0 <4.1.5 \|\| >=4.2.0 <4.2.4 \|\| >=5.0.0 <5.0.1	-

Aliases

1. CVE-2018-11992. NVD-2018-11993. OSV-DEBIAN-2018-11994. OSV-2018-11995. GHSA-v596-fwhq-8x486. GCVE-2018-11997. SECURITY-TRACKER-CVE-2018-11998. access.redhat.com9. DB-CVE-2018-1199

References

1. https://github.com/spring-projects/spring-framework/commit/554662ebab87af97ba25d0c9f5449c7acda8df9c2. https://github.com/spring-projects/spring-framework/commit/73a81f98d40eb6f5faa91aceb868db53fae2a94b3. https://github.com/spring-projects/spring-framework/commit/e6e6b8f4adcad99d133de97fcfac5ae5dd14153c4. https://github.com/spring-projects/spring-security/commit/0eef5b4b425ab42b9fa0fde1a3f36a37b92558f5. https://github.com/spring-projects/spring-security/commit/65da28e4bf62f58fb130ba727cbbd621b44a36d6. https://github.com/spring-projects/spring-security/commit/cb8041ba67635edafcc934498ef82707157fd227. https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe@%3Cissues.activemq.apache.org%3E8. https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3Cissues.activemq.apache.org%3E9. https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E10. https://pivotal.io/security/cve-2018-119911. https://www.oracle.com/security-alerts/cpujul2020.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.