SCA: security update for org.springframework.security:spring-security-core (GHSA-v35c-49j6-q8hq)

high Tenable Self-Hosted Container Security Plugin ID 419028

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before
4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By
adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security
constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in
the Servlet Specification. Some Servlet containers include path parameters in the value returned for
getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the
process of mapping requests to security constraints. The unexpected presence of path parameters can cause
a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this
vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips
path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of
other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the
handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known
to be affected. Users of other containers that implement the Servlet specification may be affected.
(CVE-2016-9879)

See Also

https://github.com/advisories/GHSA-v35c-49j6-q8hq

Plugin Details

Severity: High

ID: 419028

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2016-9879

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/15/2020

Vulnerability Publication Date: 12/28/2016

Reference Information

CVE: CVE-2016-9879

BID: 95142