Security Tracking Issue
Do not make this issue public.
This bug is subject to the Security Errata Policy.
The overall impact of the blocking security issue(s) is Important. Based on this impact, this bug must be resolved by 28-Feb-2018.
Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata
CVE-2018-1199 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources
Spring Framework and Spring Security do not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint and access Spring MVC static resource URLs.
Affected versions include:
- Spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3 and 5.0
- Spring Framework 4.3.0 - 4.3.14, and 5.0.0 - 5.0.2
Older unmaintained versions of Spring Security and Spring Framework may also be affected.
As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath.