CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.securityfocus.com/bid/91687	Third Party Advisory VDB Entry
https://pivotal.io/security/cve-2016-5007	Vendor Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pivotal_software:spring_framework:3.2.0:::::::*
	cpe:2.3:a:pivotal_software:spring_framework:4.0.0:::::::*
	cpe:2.3:a:pivotal_software:spring_framework:4.1.0:::::::*
	cpe:2.3:a:pivotal_software:spring_framework:4.2.0:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.1:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.2:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.3:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.4:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.5:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.6:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.7:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.8:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.9:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.10:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.11:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.12:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.13:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.14:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.15:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.16:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.17:::::::*
	cpe:2.3:a:vmware:spring_framework:3.2.18:::::::*
	cpe:2.3:a:vmware:spring_framework:4.0.1:::::::*
	cpe:2.3:a:vmware:spring_framework:4.0.2:::::::*
	cpe:2.3:a:vmware:spring_framework:4.0.3:::::::*
	cpe:2.3:a:vmware:spring_framework:4.0.4:::::::*
	cpe:2.3:a:vmware:spring_framework:4.0.5:::::::*
	cpe:2.3:a:vmware:spring_framework:4.0.6:::::::*
	cpe:2.3:a:vmware:spring_framework:4.0.7:::::::*
	cpe:2.3:a:vmware:spring_framework:4.0.8:::::::*
	cpe:2.3:a:vmware:spring_framework:4.0.9:::::::*
	cpe:2.3:a:vmware:spring_framework:4.1.1:::::::*
	cpe:2.3:a:vmware:spring_framework:4.1.2:::::::*
	cpe:2.3:a:vmware:spring_framework:4.1.3:::::::*
	cpe:2.3:a:vmware:spring_framework:4.1.4:::::::*
	cpe:2.3:a:vmware:spring_framework:4.1.5:::::::*
	cpe:2.3:a:vmware:spring_framework:4.1.6:::::::*
	cpe:2.3:a:vmware:spring_framework:4.1.7:::::::*
	cpe:2.3:a:vmware:spring_framework:4.1.8:::::::*
	cpe:2.3:a:vmware:spring_framework:4.1.9:::::::*
	cpe:2.3:a:vmware:spring_framework:4.2.1:::::::*
	cpe:2.3:a:vmware:spring_framework:4.2.2:::::::*
	cpe:2.3:a:vmware:spring_framework:4.2.3:::::::*
	cpe:2.3:a:vmware:spring_framework:4.2.4:::::::*
	cpe:2.3:a:vmware:spring_framework:4.2.5:::::::*
	cpe:2.3:a:vmware:spring_framework:4.2.6:::::::*
	cpe:2.3:a:vmware:spring_framework:4.2.7:::::::*
	cpe:2.3:a:vmware:spring_framework:4.2.8:::::::*
	cpe:2.3:a:vmware:spring_framework:4.2.9:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.0:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.1:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.2:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.3:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.4:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.5:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.6:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.7:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.8:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.9:::::::*
	cpe:2.3:a:vmware:spring_security:3.2.10:::::::*
	cpe:2.3:a:vmware:spring_security:4.0.0:::::::*
	cpe:2.3:a:vmware:spring_security:4.0.1:::::::*
	cpe:2.3:a:vmware:spring_security:4.0.2:::::::*
	cpe:2.3:a:vmware:spring_security:4.0.3:::::::*
cpe:2.3:a:vmware:spring_security:4.0.4:::::::*
cpe:2.3:a:vmware:spring_security:4.1.0:::::::*

History

11 Apr 2022, 17:18

Type	Values Removed	Values Added
First Time		Vmware spring Framework
CPE	cpe:2.3:a:pivotal_software:spring_framework:3.2.17:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.2:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.1.9:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.1.8:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.0.5:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.0.3:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.0.6:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.0.4:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.16:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.12:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.2.7:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.0.9:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.2.3:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.7:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.0.1:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.1.3:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.1.7:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.1.1:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.11:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.2.9:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.3:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.2.4:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.0.7:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.4:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.0.8:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.0.2:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.5:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.9:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.1.4:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.1.5:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.1.6:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.2.6:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.1:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.15:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.13:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.1.2:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.2.1:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.14:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.2.2:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.18:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.10:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.6:::::::* cpe:2.3:a:pivotal_software:spring_framework:3.2.8:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.2.5:::::::* cpe:2.3:a:pivotal_software:spring_framework:4.2.8:::::::*	cpe:2.3:a:vmware:spring_framework:3.2.13:::::::* cpe:2.3:a:vmware:spring_framework:4.0.8:::::::* cpe:2.3:a:vmware:spring_framework:3.2.16:::::::* cpe:2.3:a:vmware:spring_framework:3.2.15:::::::* cpe:2.3:a:vmware:spring_framework:3.2.8:::::::* cpe:2.3:a:vmware:spring_framework:4.0.4:::::::* cpe:2.3:a:vmware:spring_framework:3.2.10:::::::* cpe:2.3:a:vmware:spring_framework:4.0.1:::::::* cpe:2.3:a:vmware:spring_framework:4.1.6:::::::* cpe:2.3:a:vmware:spring_framework:3.2.7:::::::* cpe:2.3:a:vmware:spring_framework:3.2.18:::::::* cpe:2.3:a:vmware:spring_framework:3.2.5:::::::* cpe:2.3:a:vmware:spring_framework:3.2.9:::::::* cpe:2.3:a:vmware:spring_framework:4.0.6:::::::* cpe:2.3:a:vmware:spring_framework:3.2.1:::::::* cpe:2.3:a:vmware:spring_framework:3.2.4:::::::* cpe:2.3:a:vmware:spring_framework:4.2.1:::::::* cpe:2.3:a:vmware:spring_framework:3.2.12:::::::* cpe:2.3:a:vmware:spring_framework:4.1.5:::::::* cpe:2.3:a:vmware:spring_framework:3.2.6:::::::* cpe:2.3:a:vmware:spring_framework:4.2.2:::::::* cpe:2.3:a:vmware:spring_framework:4.2.7:::::::* cpe:2.3:a:vmware:spring_framework:4.1.7:::::::* cpe:2.3:a:vmware:spring_framework:4.2.8:::::::* cpe:2.3:a:vmware:spring_framework:4.1.4:::::::* cpe:2.3:a:vmware:spring_framework:4.1.9:::::::* cpe:2.3:a:vmware:spring_framework:3.2.3:::::::* cpe:2.3:a:vmware:spring_framework:3.2.2:::::::* cpe:2.3:a:vmware:spring_framework:4.1.3:::::::* cpe:2.3:a:vmware:spring_framework:4.2.3:::::::* cpe:2.3:a:vmware:spring_framework:4.2.5:::::::* cpe:2.3:a:vmware:spring_framework:4.0.7:::::::* cpe:2.3:a:vmware:spring_framework:4.0.2:::::::* cpe:2.3:a:vmware:spring_framework:4.1.2:::::::* cpe:2.3:a:vmware:spring_framework:4.1.8:::::::* cpe:2.3:a:vmware:spring_framework:4.2.9:::::::* cpe:2.3:a:vmware:spring_framework:3.2.11:::::::* cpe:2.3:a:vmware:spring_framework:4.0.5:::::::* cpe:2.3:a:vmware:spring_framework:4.0.3:::::::* cpe:2.3:a:vmware:spring_framework:3.2.17:::::::* cpe:2.3:a:vmware:spring_framework:3.2.14:::::::* cpe:2.3:a:vmware:spring_framework:4.0.9:::::::* cpe:2.3:a:vmware:spring_framework:4.2.4:::::::* cpe:2.3:a:vmware:spring_framework:4.1.1:::::::* cpe:2.3:a:vmware:spring_framework:4.2.6:::::::*

08 Jun 2021, 18:22

Type	Values Removed	Values Added
CPE	cpe:2.3:a:pivotal_software:spring_security:4.1.0:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.4:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.5:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.7:::::::* cpe:2.3:a:pivotal_software:spring_security:4.0.1:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.10:::::::* cpe:2.3:a:pivotal_software:spring_security:4.0.3:::::::* cpe:2.3:a:pivotal_software:spring_security:4.0.0:::::::* cpe:2.3:a:pivotal_software:spring_security:4.0.2:::::::* cpe:2.3:a:pivotal_software:spring_security:4.0.4:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.3:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.9:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.1:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.6:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.2:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.0:::::::* cpe:2.3:a:pivotal_software:spring_security:3.2.8:::::::*	cpe:2.3:a:vmware:spring_security:3.2.3:::::::* cpe:2.3:a:vmware:spring_security:3.2.9:::::::* cpe:2.3:a:vmware:spring_security:3.2.2:::::::* cpe:2.3:a:vmware:spring_security:4.0.3:::::::* cpe:2.3:a:vmware:spring_security:3.2.7:::::::* cpe:2.3:a:vmware:spring_security:4.0.4:::::::* cpe:2.3:a:vmware:spring_security:3.2.1:::::::* cpe:2.3:a:vmware:spring_security:3.2.4:::::::* cpe:2.3:a:vmware:spring_security:3.2.10:::::::* cpe:2.3:a:vmware:spring_security:4.0.2:::::::* cpe:2.3:a:vmware:spring_security:3.2.6:::::::* cpe:2.3:a:vmware:spring_security:4.0.0:::::::* cpe:2.3:a:vmware:spring_security:3.2.5:::::::* cpe:2.3:a:vmware:spring_security:3.2.8:::::::* cpe:2.3:a:vmware:spring_security:4.0.1:::::::* cpe:2.3:a:vmware:spring_security:4.1.0:::::::* cpe:2.3:a:vmware:spring_security:3.2.0:::::::*

Information

Published : 2017-05-25 17:29

Updated : 2023-12-10 12:15

NVD link : CVE-2016-5007

Mitre link : CVE-2016-5007

CVE.ORG link : CVE-2016-5007

JSON object : View

Products Affected

vmware

spring_framework
spring_security

pivotal_software

spring_framework

CWE

CWE-264

Permissions, Privileges, and Access Controls

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2016-5007

7.5^/10

5.0^/10

Attach tags to `CVE-2016-5007`