How severe is CVE-2016-5007?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2016-5007?

This is classified as CWE-264, which is a common weakness in software security.

CVE-2016-5007 - HIGH Severity | CVSS 7.5

Vulnerability Description

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Related Vulnerabilities

CVE-2013-7432

HIGH

CVSS:7.5(High)

The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to bypass an intended protection mechanism.

CWE-2642013

CVE-2014-10058

HIGH

CVSS:7.5(High)

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile SD 210/SD 212/SD 205, SD 400, SD 425, SD 427, SD 430, SD 435, SD 450, SD 617, SD 625, SD 650/52, SD 800, SD 8...

CWE-2642014

CVE-2014-3576

HIGH

CVSS:7.5(High)

The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.

CWE-2642014

CVE-2014-7851

HIGH

CVSS:7.5(High)

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that use...

CWE-2642014

CVE-2014-8421

HIGH

CVSS:7.5(High)

Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allow remote attackers to gain super-user privileges by leveraging SSH access and incorrect ownership of (1) ...

CWE-2642014

CVE-2015-1378

HIGH

CVSS:7.5(High)

cmdlineopts.clp in grml-debootstrap in Debian 0.54, 0.68.x before 0.68.1, 0.7x before 0.78 is sourced without checking that the local directory is writable by non-root users.

CWE-2642015