{"id":"CVE-2016-5007","details":"Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.","aliases":["GHSA-8crv-49fr-2h6j"],"modified":"2026-05-28T04:03:14.859439681Z","published":"2017-05-25T17:29:00.740Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"3.2.0"},{"last_affected":"4.0.0"},{"last_affected":"4.1.0"},{"last_affected":"4.2.0"}],"source":"CPE_STRING","cpes":["cpe:2.3:a:pivotal_software:spring_framework:3.2.0:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:spring_framework:4.0.0:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:spring_framework:4.2.0:*:*:*:*:*:*:*"],"vendor_product":"pivotal_software:spring_framework"}]},"references":[{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91687"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2016-5007"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-projects/spring-framework","events":[{"introduced":"0"},{"last_affected":"234cb84e832da30b6f53ccca4ef28043aacfcecc"},{"last_affected":"8b293e1be40b949b8de5d6ff7411c11416fe3d5a"},{"last_affected":"7482cf902106db2bff9e912cb67bdeea3adf5855"},{"last_affected":"fc73f6bb2c2a65fadb4a7720af95bf9850733e60"},{"last_affected":"015e1bec649d84d146b04e0062723c88e350e1b2"},{"last_affected":"f440f927198c8b4959c727aec80e9b7423a4f548"},{"last_affected":"5b99ee299031d331da9d4cc393ff1c24e0c8d63b"},{"last_affected":"28d43f886c5e387dbb496e850782274ec9176160"},{"last_affected":"58587159f08a5349801671b486cd781baa63cb9f"},{"last_affected":"1e727d65772327b5d89d89e4825e44484b6dd681"},{"last_affected":"30aecf3cc56c568e89e46cac0d87f280c07a847c"},{"last_affected":"2f9c99e5cfc97e1b8958520b5155aed06d441202"},{"last_affected":"a1efe4f35d067b93d6ff4b3850ae9b9d6d6f6e26"},{"last_affected":"0edb85c78b5844a42525705bec2901b773f844c2"},{"last_affected":"e3e2272a755a53863276850eb80dd5032f3cf571"},{"last_affected":"d802e2826a85a50b302f3da6770e6583822e2db8"},{"last_affected":"022f1c335755a00d947540fc307741b419bfe9ac"},{"last_affected":"51c9d3e9acb6981767461e0a2372b7f4c76ac356"},{"last_affected":"88d3ce96c1ca4ae319a789ff42a8c5c1e4bd69af"},{"last_affected":"4416e6cd4f9d48c976c169836cd040857448df28"},{"last_affected":"c467416ee076cfc7b91694628060fdd72c8e1fec"},{"last_affected":"44ae54f252e6de27efbcd1379ff5083ffccdde6a"},{"last_affected":"e5f530d33ca2860e3de51e4c504fb86013e9342a"},{"last_affected":"b6c8306609d97fd11f8caa5f523021152975fb71"},{"last_affected":"dfe80ddd9b5fee0a4a30e30e47d66bd4547f8956"},{"last_affected":"54980c7f1854c9407f91e8aa0fc452e7b7d68ef6"},{"last_affected":"d820f5e4102a577225980c611ad9f9d2e8623111"},{"last_affected":"993dfbfda2dfc0415409975764f2df7a7a8e622e"},{"last_affected":"1a7cb3c4a44f0509ce3d86a7586be624d6244615"},{"last_affected":"ecae24336a59df917def20f52153238ce66a6942"},{"last_affected":"a9c2b7b38d25017bd73f8a623492a45572bc52e3"},{"last_affected":"2239ddf6f4c798e28ba521b26f49c1236d870a65"},{"last_affected":"c734ee12b33c9f46fcb8c9d4b2ac1fa198e2a8e0"},{"last_affected":"261e37485a76586fddc858fb0896006fe92139f5"},{"last_affected":"ecd74399a897b3d7acf92031cd3de7e554f06651"},{"last_affected":"d5ed9a1d6451267faa802f23cf6a2eccb8372484"},{"last_affected":"201b2d752efc4c79b0d52d90e95dac1093520d5f"},{"last_affected":"8d6636aab1c2ae892bff33fe66341eda4017cbb6"},{"last_affected":"345570109ae2dbdafe05a4270f0c710b7d53d050"},{"last_affected":"137dc19fcdeee5a5edc230b39d2cc47f01624df7"},{"last_affected":"dd42a21f3968c165af924310fce460694803756f"},{"last_affected":"77c0292665bc5e61d0e5108f9cd7e066381f28d3"},{"last_affected":"75bf620ae7df0967965a02e54e01f47ea5fa6f8c"},{"last_affected":"d111af1b88b53f2589d017a7cb6d068464d9bf77"},{"last_affected":"2cc3b278024ca45a72bc847a9457fc138424b16c"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"3.2.1"},{"last_affected":"3.2.2"},{"last_affected":"3.2.3"},{"last_affected":"3.2.4"},{"last_affected":"3.2.5"},{"last_affected":"3.2.6"},{"last_affected":"3.2.7"},{"last_affected":"3.2.8"},{"last_affected":"3.2.9"},{"last_affected":"3.2.10"},{"last_affected":"3.2.11"},{"last_affected":"3.2.12"},{"last_affected":"3.2.13"},{"last_affected":"3.2.14"},{"last_affected":"3.2.15"},{"last_affected":"3.2.16"},{"last_affected":"3.2.17"},{"last_affected":"3.2.18"},{"last_affected":"4.0.1"},{"last_affected":"4.0.2"},{"last_affected":"4.0.3"},{"last_affected":"4.0.4"},{"last_affected":"4.0.5"},{"last_affected":"4.0.6"},{"last_affected":"4.0.7"},{"last_affected":"4.0.8"},{"last_affected":"4.0.9"},{"last_affected":"4.1.1"},{"last_affected":"4.1.2"},{"last_affected":"4.1.3"},{"last_affected":"4.1.4"},{"last_affected":"4.1.5"},{"last_affected":"4.1.6"},{"last_affected":"4.1.7"},{"last_affected":"4.1.8"},{"last_affected":"4.1.9"},{"last_affected":"4.2.1"},{"last_affected":"4.2.2"},{"last_affected":"4.2.3"},{"last_affected":"4.2.4"},{"last_affected":"4.2.5"},{"last_affected":"4.2.6"},{"last_affected":"4.2.7"},{"last_affected":"4.2.8"},{"last_affected":"4.2.9"}],"cpe":["cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.14:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.15:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.16:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.17:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:3.2.18:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.0.1:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.0.2:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.0.3:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.0.4:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.0.5:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.0.6:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.0.7:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.0.8:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.0.9:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.1.5:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.1.6:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.1.7:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.1.8:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.1.9:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.2.1:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.2.2:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.2.3:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.2.4:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.2.5:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.2.6:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.2.7:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.2.8:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_framework:4.2.9:*:*:*:*:*:*:*"],"source":"CPE_STRING"}}],"versions":["v3.2.18.RELEASE","v4.2.9.RELEASE","v4.2.8.RELEASE","v4.2.7.RELEASE","v3.2.17.RELEASE","v4.2.6.RELEASE","v4.2.5.RELEASE","v3.2.16.RELEASE","v4.2.4.RELEASE","v4.1.9.RELEASE","v4.2.3.RELEASE","v4.2.2.RELEASE","v4.1.8.RELEASE","v3.2.15.RELEASE","v4.2.1.RELEASE","v3.2.14.RELEASE","v4.1.7.RELEASE","v4.1.6.RELEASE","v4.1.5.RELEASE","v3.2.13.RELEASE","v4.0.9.RELEASE","v4.1.4.RELEASE","v4.1.3.RELEASE","v3.2.12.RELEASE","v4.1.2.RELEASE","v4.0.8.RELEASE","v4.1.1.RELEASE","v3.2.11.RELEASE","v4.0.7.RELEASE","v3.2.10.RELEASE","v4.0.6.RELEASE","v4.0.5.RELEASE","v3.2.9.RELEASE","v4.0.4.RELEASE","v4.0.3.RELEASE","v3.2.8.RELEASE","v4.0.2.RELEASE","v3.2.7.RELEASE","v4.0.1.RELEASE","v3.2.6.RELEASE","v4.0.0.RC2","v3.2.5.RELEASE","v4.0.0.RC1","v4.0.0.M3","v3.2.4.RELEASE","v4.0.0.M2","v3.2.3.RELEASE","v4.0.0.M1","v3.2.2.RELEASE","v3.2.1.RELEASE","v3.2.0.RELEASE","v3.2.0.RC2-A","v3.2.0.RC1","v3.2.0.M2","v3.2.0.M1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-5007.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/spring-projects/spring-security","events":[{"introduced":"0"},{"last_affected":"4619705e37fa49556480fb942247fb7b63727b3e"},{"last_affected":"9287892863f77df4f29c53701e6fbf3fdc60a9a8"},{"last_affected":"afe5ec53d48393113f4f10f69b76ce7ac12b348c"},{"last_affected":"afcad4f0d48c9e4ca8abebcd08ebc3dc6194a6e9"},{"last_affected":"59bb10ef81dc0f1ceaeee8ab1c4d83344b924f90"},{"last_affected":"6dc270383762fa3509792ce34843b76f3f22130c"},{"last_affected":"98abd29c9feb67cc2a02cab1cd0f50f2306b7f1b"},{"last_affected":"644392045ab256246bb2212b85054e584dc57b8e"},{"last_affected":"48eb8788c4f077f1d0c9e2ba054d9443b0f6170d"},{"last_affected":"3243a7cde216a9542ef7b6e6a18f5a7c6a1992b8"},{"last_affected":"7f246e1c0e00e1eef15fe08664bddc4b18aa677a"},{"last_affected":"8f9065b3f6b48b9157b43b9e35153680d1bb68d7"},{"last_affected":"680facd4a81c4af2b10e606b964f84f6294e2c36"},{"last_affected":"33c9185160c91ffde53ff2c9da5420bd57420e48"},{"last_affected":"19f88e91793342babf034e55d2f96cbba72c061a"},{"last_affected":"0e9d9da46b4cc62370bb8d7dd5b9744f300b6c4f"},{"last_affected":"001b05569af749a34daac9191014cf3e2658b018"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"3.2.0"},{"last_affected":"3.2.1"},{"last_affected":"3.2.2"},{"last_affected":"3.2.3"},{"last_affected":"3.2.4"},{"last_affected":"3.2.5"},{"last_affected":"3.2.6"},{"last_affected":"3.2.7"},{"last_affected":"3.2.8"},{"last_affected":"3.2.9"},{"last_affected":"3.2.10"},{"last_affected":"4.0.0"},{"last_affected":"4.0.1"},{"last_affected":"4.0.2"},{"last_affected":"4.0.3"},{"last_affected":"4.0.4"},{"last_affected":"4.1.0"}],"cpe":["cpe:2.3:a:vmware:spring_security:3.2.0:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.1:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.2:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.3:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.4:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.5:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.6:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.7:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.8:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.9:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:3.2.10:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:4.0.0:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:4.0.1:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:4.0.2:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:4.0.3:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:4.0.4:*:*:*:*:*:*:*","cpe:2.3:a:vmware:spring_security:4.1.0:*:*:*:*:*:*:*"],"source":"CPE_STRING"}}],"versions":["3.2.10.RELEASE","4.1.0.RELEASE","4.1.0.RC2","4.1.0.RC1","4.0.4.RELEASE","4.0.3.RELEASE","3.2.9.RELEASE","4.0.2.RELEASE","3.2.8.RELEASE","4.0.1.RELEASE","3.2.7.RELEASE","4.0.0.RELEASE","3.2.6.RELEASE","3.2.5.RELEASE","3.2.4.RELEASE","3.2.3.RELEASE","3.2.2.RELEASE","3.2.1.RELEASE","3.2.0.RELEASE","3.2.0.M2","3.1.3.RELEASE","3.1.2.RELEASE","3.1.1.RELEASE","3.1.0.RELEASE","3.1.0.RC3","3.1.0.RC2","3.1.0.RC1","3.1.0.M2","3.1.0.M1","3.0.2.RELEASE","3.0.1.RELEASE","3.0.0.RC2","3.0.0.M2","2.5.0.M1","1.0.5","1.0.4","1.0.3","1.0.2","1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-5007.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}