openEuler update for springframework
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-5007 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openEuler Operating systems & Components / Operating system springframework-jms Operating systems & Components / Operating system package or component springframework-oxm Operating systems & Components / Operating system package or component springframework-instrument Operating systems & Components / Operating system package or component springframework-jdbc Operating systems & Components / Operating system package or component springframework-orm-hibernate4 Operating systems & Components / Operating system package or component springframework-beans Operating systems & Components / Operating system package or component springframework-orm Operating systems & Components / Operating system package or component springframework-tx Operating systems & Components / Operating system package or component springframework-web Operating systems & Components / Operating system package or component springframework-aop Operating systems & Components / Operating system package or component springframework-expression Operating systems & Components / Operating system package or component springframework-context Operating systems & Components / Operating system package or component springframework-help Operating systems & Components / Operating system package or component springframework Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU82532
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-5007
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. A remote attacker can trigger the vulnerability to bypass security restrictions.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1 - 20.03 LTS SP2
springframework-jms: before 3.2.18-8
springframework-oxm: before 3.2.18-8
springframework-instrument: before 3.2.18-8
springframework-jdbc: before 3.2.18-8
springframework-orm-hibernate4: before 3.2.18-8
springframework-beans: before 3.2.18-8
springframework-orm: before 3.2.18-8
springframework-tx: before 3.2.18-8
springframework-web: before 3.2.18-8
springframework-aop: before 3.2.18-8
springframework-expression: before 3.2.18-8
springframework-context: before 3.2.18-8
springframework-help: before 3.2.18-8
springframework: before 3.2.18-8
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP2:*:*:*:*:*:*
- cpe:2.3:o:openeuler:springframework-jms:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-oxm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-instrument:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-jdbc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-orm-hibernate4:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-beans:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-orm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-tx:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-web:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-aop:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-expression:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-context:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:springframework:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1416
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
