Arbitrary Code Execution Affecting org.springframework.security:spring-security-core package, versions [2.0.0,2.0.7.RELEASE) [3.0.0.RELEASE,3.0.6.RELEASE)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-31339
- published 8 Sep 2014
- disclosed 5 Dec 2012
- credit Unknown
How to fix?
Upgrade org.springframework.security:spring-security-core
to version 2.0.7.RELEASE, 3.0.6.RELEASE or higher.
Overview
org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.
Affected versions of this package are vulnerable to Arbitrary Code Execution. CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.