Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4,
and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x
before 5.0.3) does not consider URL path parameters when processing
security constraints. By adding a URL path parameter with special
encodings, an attacker may be able to bypass a security constraint. The
root cause of this issue is a lack of clarity regarding the handling of
path parameters in the Servlet Specification. Some Servlet containers
include path parameters in the value returned for getPathInfo() and some do
not. Spring Security uses the value returned by getPathInfo() as part of
the process of mapping requests to security constraints. In this particular
attack, different character encodings used in path parameters allows
secured Spring MVC static resource URLs to be bypassed.
Upstream:released (4.3.14-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (4.3.14-1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (4.3.14-1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (4.3.14-1)
More Information

Updated: 2020-07-28 18:48:54 UTC (commit 7b6828437fde0509248708fcdb5b0f7587b85bd1)