CVE-2018-1199
Security Bypass vulnerability in spring-security-core (Maven)

Security Bypass No known exploit

What is CVE-2018-1199 About?

This Security Bypass vulnerability in Spring Security and Spring Framework allows an attacker to bypass security constraints by manipulating URL path parameters. The issue arises from inconsistent handling of path parameters across different Servlet containers and Spring Security's reliance on getPathInfo(). Exploitation requires crafting URLs with special encodings.

Affected Software

  • org.springframework.security:spring-security-core
    • >5.0.0, <5.0.1
    • >4.1.0, <4.1.5
    • >4.2.0, <4.2.4
  • org.springframework:spring-core
    • >5.0.0, <5.0.3
    • >4.3.0, <4.3.14

Technical Details

The vulnerability exists in Spring Security (versions 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1) and Spring Framework (4.3.x before 4.3.14 and 5.0.x before 5.0.3). The core problem is that Spring Security does not account for URL path parameters when enforcing security constraints. Specifically, the handling of path parameters in the Servlet Specification is ambiguous, leading to inconsistencies where some Servlet containers include path parameters in getPathInfo() while others do not. Spring Security uses the value from getPathInfo() to map requests to security constraints. An attacker can leverage this by adding URL path parameters with special encodings (e.g., matrix parameters like ';param=value') that cause the security constraint to be evaluated against a different, unconstrained path, thus bypassing authentication or authorization checks. This is particularly effective for bypassing security on Spring MVC static resource URLs.

What is the Impact of CVE-2018-1199?

Successful exploitation may allow attackers to bypass security constraints, access unauthorized resources, and potentially gain access to sensitive information or functionality.

What is the Exploitability of CVE-2018-1199?

Exploitation requires crafting a specially encoded URL that includes path parameters, and the attack can be executed remotely. The complexity is moderate, as it depends on how the Servlet container handles getPathInfo() and how Spring Security's security constraints are defined. No specific authentication is mentioned, implying it could be unauthenticated in many scenarios, depending on the targeted resource's access policies. Privilege requirements are low, as the goal is to bypass existing controls. The vulnerability arises from an ambiguity in the Servlet Specification and its interaction with Spring Security's path mapping. Increased likelihood of exploitation occurs when applications have finely-grained security constraints on URLs and rely solely on Spring Security's default path matching behavior without explicit path parameter sanitization or strict URL matching patterns.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2018-1199?

Available Upgrade Options

  • org.springframework:spring-core
    • >4.3.0, <4.3.14 → Upgrade to 4.3.14
  • org.springframework:spring-core
    • >5.0.0, <5.0.3 → Upgrade to 5.0.3
  • org.springframework.security:spring-security-core
    • >4.1.0, <4.1.5 → Upgrade to 4.1.5
  • org.springframework.security:spring-security-core
    • >4.2.0, <4.2.4 → Upgrade to 4.2.4
  • org.springframework.security:spring-security-core
    • >5.0.0, <5.0.1 → Upgrade to 5.0.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-1199?

Similar Vulnerabilities: CVE-2016-5007 , CVE-2018-15758 , CVE-2023-34035 , CVE-2020-5407 , CVE-2020-5408

All Rights reserved 2025
Privacy Policy