CVE-2018-1199 in Spring Security
Summary
by MITRE
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/22/2023
This vulnerability affects spring security implementations across multiple versions including 4.1.x before 4.1.5, 4.2.x before 4.2.4, 5.0.x before 5.0.1, and corresponding spring framework versions. The core issue stems from inconsistent handling of URL path parameters within the servlet specification where some containers include path parameters in getPathInfo() responses while others do not. Spring Security relies on this getPathInfo() value for security constraint mapping, creating a potential bypass opportunity when attackers manipulate path parameters with special encodings.
The technical flaw exploits the ambiguity in servlet container behavior regarding path parameter processing, specifically when path parameters are present in URLs like /resource;jsessionid=abcd. Different servlet containers may handle these path parameters differently, with some including them in getPathInfo() results while others exclude them entirely. When spring security processes these requests, it uses the inconsistent getPathInfo() return values to determine which security constraints apply, allowing attackers to craft malicious requests that bypass intended access controls.
The operational impact of this vulnerability is significant as it allows attackers to bypass security constraints on static resource URLs within spring mvc applications. By carefully crafting URL parameters with specific encodings, attackers can access protected resources without proper authentication or authorization. This bypass affects the fundamental security model of spring security applications, potentially allowing unauthorized access to sensitive static content and resources that should be protected by security constraints.
This vulnerability maps to CWE-284 Access Control Bypass and aligns with ATT&CK technique T1078 Valid Accounts, as attackers can leverage the path parameter manipulation to gain access to resources that should be protected. The attack pattern demonstrates a privilege escalation vector through improper access control implementation. Organizations using affected spring security versions should immediately apply patches to their spring framework and spring security components, ensuring all instances are updated to versions 4.1.5, 4.2.4, 5.0.1, 4.3.14, or 5.0.3 respectively. Additionally, security teams should review their application configurations and implement monitoring for unusual URL access patterns that might indicate exploitation attempts.