openEuler update for springframework



Published: 2021-11-05
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-5007
CWE-ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		openEuler
Operating systems & Components / Operating system

springframework-jms
Operating systems & Components / Operating system package or component

springframework-oxm
Operating systems & Components / Operating system package or component

springframework-instrument
Operating systems & Components / Operating system package or component

springframework-jdbc
Operating systems & Components / Operating system package or component

springframework-orm-hibernate4
Operating systems & Components / Operating system package or component

springframework-beans
Operating systems & Components / Operating system package or component

springframework-orm
Operating systems & Components / Operating system package or component

springframework-tx
Operating systems & Components / Operating system package or component

springframework-web
Operating systems & Components / Operating system package or component

springframework-aop
Operating systems & Components / Operating system package or component

springframework-expression
Operating systems & Components / Operating system package or component

springframework-context
Operating systems & Components / Operating system package or component

springframework-help
Operating systems & Components / Operating system package or component

springframework
Operating systems & Components / Operating system package or component

Vendor openEuler

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU82532

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-5007

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. A remote attacker can trigger the vulnerability to bypass security restrictions.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

springframework-jms: before 3.2.18-8

springframework-oxm: before 3.2.18-8

springframework-instrument: before 3.2.18-8

springframework-jdbc: before 3.2.18-8

springframework-orm-hibernate4: before 3.2.18-8

springframework-beans: before 3.2.18-8

springframework-orm: before 3.2.18-8

springframework-tx: before 3.2.18-8

springframework-web: before 3.2.18-8

springframework-aop: before 3.2.18-8

springframework-expression: before 3.2.18-8

springframework-context: before 3.2.18-8

springframework-help: before 3.2.18-8

springframework: before 3.2.18-8

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1416


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###