CVE-2016-5007

Priority
Description
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x,
4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for
mapping requests to controllers respectively. Differences in the strictness
of the pattern matching mechanisms, for example with regards to space
trimming in path segments, can lead Spring Security to not recognize
certain paths as not protected that are in fact mapped to Spring MVC
controllers that should be protected. The problem is compounded by the fact
that the Spring Framework provides richer features with regards to pattern
matching as well as by the fact that pattern matching in each Spring
Security and the Spring Framework can easily be customized creating
additional differences.
Notes
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (4.3.1-1)
Ubuntu 19.10 (Eoan Ermine):not-affected (4.3.1-1)
Ubuntu 20.04 (Focal Fossa):not-affected (4.3.1-1)
Patches:
Upstream:https://github.com/spring-projects/spring-framework/commit/a30ab3
Upstream:https://github.com/spring-projects/spring-security/commit/e4c13e
More Information

Updated: 2020-04-24 03:31:03 UTC (commit d3f8a6ed481830fb100109a132bef581fc4176fe)