Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE: 2018-1199 found in Spring Web MVC - Version: 3.2.15.RELEASE [JAVA] #851

Open
github-actions bot opened this issue Sep 24, 2022 · 0 comments
Open

CVE: 2018-1199 found in Spring Web MVC - Version: 3.2.15.RELEASE [JAVA] #851

github-actions bot opened this issue Sep 24, 2022 · 0 comments
Labels
Severity: Medium Medium severity Veracode Dependency Scanning A Veracode identified vulnerability

Comments

@github-actions
Copy link

Veracode Software Composition Analysis

Attribute Details
Library Spring Web MVC
Description Spring Web MVC
Language JAVA
Vulnerability Security Constraint Bypass
Vulnerability description spring-security-web and spring-web are vulnerable to security bypass with static resources. Spring uses the output of getPathInfo() when mapping security constraints and requests. It is not standardized whether the path parameters should be included in the value from getPathInfo(). Using this knowledge, attackers can bypass security constraints by using encoded characters.
CVE 2018-1199
CVSS score 5
Vulnerability present in version/s 3.1.0.RELEASE-4.3.12.RELEASE
Found library version/s 3.2.15.RELEASE
Vulnerability fixed in version 4.3.13.RELEASE
Library latest version 6.0.0-M6
Fix

Links:
@github-actions github-actions bot added Severity: Medium Medium severity Veracode Dependency Scanning A Veracode identified vulnerability labels Sep 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Severity: Medium Medium severity Veracode Dependency Scanning A Veracode identified vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants