CVE-2018-1199
Severity
5.3MEDIUM
EPSS
1.5%
top 18.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedMar 16
Latest updateOct 17
Description
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers incl…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages9 packages
🔴Vulnerability Details
4OSV▶
Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core↗2018-10-17
GHSA▶
Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core↗2018-10-17
📋Vendor Advisories
2💬Community
5Bugzilla▶
CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems↗2018-04-24
Bugzilla▶
CVE-2018-1199 springframework: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fedora-all]↗2018-01-30
Bugzilla▶
CVE-2018-1199 springframework-security: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fedora-all]↗2018-01-30
Bugzilla▶
CVE-2018-1199 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources↗2018-01-30