{ "threat_severity" : "Important", "public_date" : "2018-01-29T00:00:00Z", "bugzilla" : { "description" : "spring-framework: Improper URL path validation allows for bypassing of security checks on static resources", "id" : "1540030", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1540030" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed." ], "affected_release" : [ { "product_name" : "Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R7", "release_date" : "2018-08-14T00:00:00Z", "advisory" : "RHSA-2018:2405", "cpe" : "cpe:/a:redhat:jboss_fuse:6.3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "springframework", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Not affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Not affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "undertow-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Integration Service 2", "fix_state" : "Affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:fuse_integration_services:2" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Not affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Not affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Not affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat Mobile Application Platform 4", "fix_state" : "Not affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:mobile_application_platform:4" }, { "product_name" : "Red Hat OpenShift Enterprise 3", "fix_state" : "Not affected", "package_name" : "millicore", "cpe" : "cpe:/a:redhat:openshift:3", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 11 (Ocata)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:11" }, { "product_name" : "Red Hat OpenStack Platform 12 (Pike)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:12" }, { "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:9" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "rhevm-dependencies", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1199\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1199\nhttps://pivotal.io/security/cve-2018-1199" ], "name" : "CVE-2018-1199", "mitigation" : { "value" : "As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath.", "lang" : "en:us" }, "csaw" : false }