漏洞标题
N/A
漏洞描述信息
Spring Security 3.2.x、4.0.x、4.1.0 和 Spring Framework 3.2.x、4.0.x、4.1.x、4.2.x 都依赖于 URL 模式映射来进行授权和将请求映射到控制器。模式匹配机制的严格程度不同,例如在路径分段中的空格缩进,可能导致 Spring Security 识别某些路径为未保护,实际上这些路径已经被映射到了应该被保护的 Spring MVC 控制器。由于 Spring Framework 在模式匹配方面提供更多的功能,以及每个 Spring Security 和 Spring Framework 都可以轻松定制,因此这个问题变得更加复杂。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Pivotal Spring Security和Spring Framework 安全漏洞
漏洞描述信息
Pivotal Spring Security和Spring Framework都是美国Pivotal Software公司的产品。前者是一套为基于Spring的应用程序提供说明性安全保护的安全框架,后者是一套开源的Java、Java EE应用程序框架。 Pivotal Spring Security和Spring Framework中存在安全漏洞。攻击者可利用该漏洞绕过安全限制,执行未授权操作。以下版本受到影响:Pivotal Spring Security 3.2.x版本,4.0.x版本,4.1.x版
CVSS信息
N/A
漏洞类别
权限许可和访问控制问题