CVE-2016-5007

high VMware
CVSS v3 Base Score
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.2%
Exploitation probability in 30 days
Top 64% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
High
Availability
None
Published: May 25, 2017 (3276 days ago)
Last Modified: May 13, 2026
Vendor: VMware
Source: NVD

Description

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

CWE

CWE-264

Affected Products

pivotal software spring frameworkvmware spring frameworkvmware spring security

References

🔗 www.oracle.com 🔗 www.securityfocus.com 🔗 pivotal.io 🔗 www.oracle.com 🔗 www.oracle.com