CVE: 2018-1199 found in Spring Web MVC - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Web MVC
Description	Spring Web MVC
Language	JAVA
Vulnerability	Security Constraint Bypass
Vulnerability description	spring-security-web and spring-web are vulnerable to security bypass with static resources. Spring uses the output of getPathInfo() when mapping security constraints and requests. It is not standardized whether the path parameters should be included in the value from getPathInfo(). Using this knowledge, attackers can bypass security constraints by using encoded characters.
CVE	2018-1199
CVSS score	5
Vulnerability present in version/s	3.1.0.RELEASE-4.3.12.RELEASE
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	4.3.13.RELEASE
Library latest version	6.1.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/949?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/5771
• Patch: https://github.com/spring-projects/spring-framework/commit/9470719cdb9e827db1fe6ce088c77ca817a9e0d7

[github-actions[bot]]

Veracode issue link to PR: https://github.com/veracode-repository-ruleset/verademo-java-maven/pull/54