Spring Security Advisories

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header in the response where the filename attribute is derived from user supplied input.

Specifically, an application is vulnerable when all of the following are true:

• The header is prepared with org.springframework.http.ContentDisposition.
• The filename is set via one of:
  • ContentDisposition.Builder#filename(String), or
  • ContentDisposition.Builder#filename(String, US_ASCII)
• The value for the filename is derived from user supplied input.
• The user supplied input is not sanitized by the application.
• The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).

An application is not vulnerable if any of the following is true:

• The application does not set a “Content-Disposition” response header.
• The header is not prepared with org.springframework.http.ContentDisposition.
• The filename is set via one of:
  • ContentDisposition.Builder#filename(String, UTF_8), or
  • ContentDisposition.Builder#filename(String, ISO_8859_1)
• The filename is not derived from user supplied input.
• The filename is derived from user supplied input but sanitized by the application.

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.

Only non-authenticated endpoints are…

Reactor Netty, versions 0.8.x prior to 0.8.13 and 0.9.x prior to 0.9.1, depends on vulnerable versions of netty (versions prior to 4.1.42), which incorrectly handles whitespace before a colon in headers, leading to HTTP request smuggling attacks.

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”.

Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.

This vulnerability exposes applications that meet all of the following requirements:

• Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
• Uses the DefaultRedirectResolver in the AuthorizationEndpoint

This vulnerability does not expose applications that:

• Act in the role of an Authorization Server and use a different RedirectResolver implementation other than DefaultRedirectResolver
• Act in the role of a Resource Server only (e.g. @EnableResourceServer)
• Act in the role of a Client only (e.g. @EnableOAuthClient)

This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. Using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.