Spring Security Advisories

RSS feed

This page lists Spring advisories.

CVE-2020-5403: DoS Via Malformed URL with Reactor Netty HTTP Server

MEDIUM | FEBRUARY 27, 2020 | CVE-2020-5403

Description

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.

Affected Spring Products and Versions

  • Reactor Netty
    • 0.9.3
    • 0.9.4

Mitigation

Users of affected versions should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5). No other steps are necessary.

  • Reactor Netty
    • 0.9.5

Credit

This issue was…

CVE-2020-5405: Directory Traversal with spring-cloud-config-server

HIGH | FEBRUARY 26, 2020 | CVE-2020-5405

Description

Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker…

CVE-2020-5398: RFD Attack via “Content-Disposition” Header Sourced from Request Input by Spring MVC or Spring WebFlux Application

HIGH | JANUARY 16, 2020 | CVE-2020-5398

Description

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header in the response where the filename attribute is derived from user supplied input.

Specifically, an application is vulnerable when all of the following are true:

  • The header is prepared with org.springframework.http.ContentDisposition.
  • The filename is set via one of:
    • ContentDisposition.Builder#filename(String), or
    • ContentDisposition.Builder#filename(String, US_ASCII)
  • The value for the filename is derived from user supplied input.
  • The user supplied input is not sanitized by the application.
  • The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).

An application is not vulnerable if any of the following is true:

  • The application does not set a “Content-Disposition” response header.
  • The header is not prepared with org.springframework.http.ContentDisposition.
  • The filename is set via one of:
    • ContentDisposition.Builder#filename(String, UTF_8), or
    • ContentDisposition.Builder#filename(String, ISO_8859_1)
  • The filename is not derived from user supplied input.
  • The filename is derived from user supplied input but sanitized by the application.

Affected Spring Products and Versions

  • Spring Framework
    • 5.2.0 to 5.2.2
    • 5.1.0 to 5.1.12
    • 5.0.0 to 5.0.15

Mitigation

Users of affected versions should apply the following mitigation. 5.2.x users should upgrade to 5.2.3. 5.1.x users should upgrade to 5.1.13. 5.0.x users should upgrade to 5.0.16. No other steps are necessary.  Releases that have fixed this issue include:

  • Spring Framework
    • 5.2.3
    • 5.1.13
    • 5.0.16

Credit

This issue was identified and responsibly reported by Roman Shalymov from EPAM.

References

CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null

LOW | JUNE 19, 2019 | CVE-2019-11272

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”.

Affected Spring Products and Versions

  • Spring Security 4.2 to 4.2.12
  • Older unsupported versions are also affected
  • Note that Spring Security 5+ is not impacted by this vulnerability.

Mitigation

Users of affected versions should apply the following mitigation:

  • 4.2.x users should upgrade to 4.2.13
  • Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

Credit

This issue was identified and responsibly reported by Tim Büthe and Daniel Neagaru from mytaxi.

History

2019-06-19: Initial vulnerability report published

CVE-2019-11269: Open Redirector in spring-security-oauth2

MEDIUM | MAY 30, 2019 | CVE-2019-11269

Description

Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.

This vulnerability exposes applications that meet all of the following requirements:

  • Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
  • Uses the DefaultRedirectResolver in the AuthorizationEndpoint

This vulnerability does not expose applications that:

  • Act in the role of an Authorization Server and use a different RedirectResolver implementation other than DefaultRedirectResolver
  • Act in the role of a Resource Server only (e.g. @EnableResourceServer)
  • Act in the role of a Client only (e.g. @EnableOAuthClient)

Affected Spring Products and Versions

  • Spring Security OAuth 2.3 to 2.3.5
  • Spring Security OAuth 2.2 to 2.2.4
  • Spring Security OAuth 2.1 to 2.1.4
  • Spring Security OAUth 2.0 to 2.0.17

Mitigation

Users of affected versions should apply the following mitigation:

  • <strong>2.3.x</strong> users should upgrade to <strong>2.3.6</strong>
  • <strong>2.2.x</strong> users should upgrade to <strong>2.2.5</strong>
  • <strong>2.1.x</strong> users should upgrade to <strong>2.1.5</strong>
  • <strong>2.0.x</strong> users should upgrade to <strong>2.0.18</strong>
  • Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the patch for the CVE. In order to override the version, you need to declare/set the property spring-security-oauth.version.

Below are instructions for users of Spring Boot 1.5.x.

To override a property using Maven, declare the property in your pom’s section:


2.0.18.RELEASE

To override a property using Gradle, configure the value in your build.gradle script:

ext['spring-security-oauth.version'] = '2.0.18.RELEASE'

Or in gradle.properties:

spring-security-oauth.version=2.0.18.RELEASE

NOTE: The same instructions apply for users of Spring IO Platform Cairo. However, the version to specify is 2.2.5.RELEASE.

Credit

This issue was identified and responsibly reported by Mike Noordermeer.

References

Additional information exposure with Spring Data JPA example matcher

LOW | MAY 13, 2019 | CVE-2019-3802

Description

This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. Using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.

Affected Spring Products and Versions

  • Spring Data JPA 2.1 to 2.1.7
  • Spring Data JPA 2.0 to 2.0.14
  • Spring Data JPA 1.11 to 1.11.21
  • Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

  • 2.1.x users should upgrade to 2.1.8 (included in Spring Boot 2.1.5)
  • 2.0.x users should upgrade to 2.1.8 (included in Spring Boot 2.1.5)
  • 1.11.x users should upgrade to 1.11.22 (included in Spring Boot 1.5.20)
  • Older versions should upgrade to a supported branch
  • There are no other mitigation steps necessary. Note, that with the current releases, the 2.0 branch of both Spring Data and Spring Boot is EOL and we highly recommend to upgrade

Credit

This issue was identified and responsibly reported by Thaveethu Vignesh

References

CVE-2019-3799: Directory Traversal with spring-cloud-config-server

HIGH | APRIL 16, 2019 | CVE-2019-3799

Description

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Affected Spring Products and Versions

  • Spring Cloud Config 2.1.0 to 2.1.1
  • Spring Cloud Config 2.0.0 to 2.0.3
  • Spring Cloud Config 1.4.0 to 1.4.5
  • Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

  • 2.1.x users should upgrade to 2.1.2
  • 2.0.x users should upgrade to 2.0.4
  • 1.4.x users should upgrade to 1.4.6
  • Older versions should upgrade to a supported branch
  • Note that spring-cloud-config-server should only be available on internal networks to clients that require it and it should be secured with Spring Security, this limits exposure to this vulnerability to those with internal network access and those users with proper authentication.

Credit

This issue was identified and responsibly reported by Vern ([email protected] from PingAn Galaxy Lab).

References

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all