{"id":"CVE-2016-5007","details":"Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.","aliases":["GHSA-8crv-49fr-2h6j"],"modified":"2026-04-10T03:50:08.174675Z","published":"2017-05-25T17:29:00.740Z","references":[{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91687"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2016-5007"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-projects/spring-framework","events":[{"introduced":"0"},{"last_affected":"abdcefb460fcbc1348ef04505a78381a2c69a643"},{"introduced":"0"},{"last_affected":"299f8b15ad1f74ca769b396d915e8369623279f2"},{"introduced":"0"},{"last_affected":"8d2fd1163309e659c7411b7e5557eddb912ec684"},{"introduced":"0"},{"last_affected":"22a14c02c2fad2f7338bb66a759f325f17089612"},{"introduced":"0"},{"last_affected":"234cb84e832da30b6f53ccca4ef28043aacfcecc"},{"introduced":"0"},{"last_affected":"8b293e1be40b949b8de5d6ff7411c11416fe3d5a"},{"introduced":"0"},{"last_affected":"7482cf902106db2bff9e912cb67bdeea3adf5855"},{"introduced":"0"},{"last_affected":"fc73f6bb2c2a65fadb4a7720af95bf9850733e60"},{"introduced":"0"},{"last_affected":"015e1bec649d84d146b04e0062723c88e350e1b2"},{"introduced":"0"},{"last_affected":"f440f927198c8b4959c727aec80e9b7423a4f548"},{"introduced":"0"},{"last_affected":"5b99ee299031d331da9d4cc393ff1c24e0c8d63b"},{"introduced":"0"},{"last_affected":"28d43f886c5e387dbb496e850782274ec9176160"},{"introduced":"0"},{"last_affected":"58587159f08a5349801671b486cd781baa63cb9f"},{"introduced":"0"},{"last_affected":"1e727d65772327b5d89d89e4825e44484b6dd681"},{"introduced":"0"},{"last_affected":"30aecf3cc56c568e89e46cac0d87f280c07a847c"},{"introduced":"0"},{"last_affected":"2f9c99e5cfc97e1b8958520b5155aed06d441202"},{"introduced":"0"},{"last_affected":"a1efe4f35d067b93d6ff4b3850ae9b9d6d6f6e26"},{"introduced":"0"},{"last_affected":"0edb85c78b5844a42525705bec2901b773f844c2"},{"introduced":"0"},{"last_affected":"e3e2272a755a53863276850eb80dd5032f3cf571"},{"introduced":"0"},{"last_affected":"d802e2826a85a50b302f3da6770e6583822e2db8"},{"introduced":"0"},{"last_affected":"022f1c335755a00d947540fc307741b419bfe9ac"},{"introduced":"0"},{"last_affected":"51c9d3e9acb6981767461e0a2372b7f4c76ac356"},{"introduced":"0"},{"last_affected":"88d3ce96c1ca4ae319a789ff42a8c5c1e4bd69af"},{"introduced":"0"},{"last_affected":"4416e6cd4f9d48c976c169836cd040857448df28"},{"introduced":"0"},{"last_affected":"c467416ee076cfc7b91694628060fdd72c8e1fec"},{"introduced":"0"},{"last_affected":"44ae54f252e6de27efbcd1379ff5083ffccdde6a"},{"introduced":"0"},{"last_affected":"e5f530d33ca2860e3de51e4c504fb86013e9342a"},{"introduced":"0"},{"last_affected":"b6c8306609d97fd11f8caa5f523021152975fb71"},{"introduced":"0"},{"last_affected":"dfe80ddd9b5fee0a4a30e30e47d66bd4547f8956"},{"introduced":"0"},{"last_affected":"54980c7f1854c9407f91e8aa0fc452e7b7d68ef6"},{"introduced":"0"},{"last_affected":"d820f5e4102a577225980c611ad9f9d2e8623111"},{"introduced":"0"},{"last_affected":"993dfbfda2dfc0415409975764f2df7a7a8e622e"},{"introduced":"0"},{"last_affected":"1a7cb3c4a44f0509ce3d86a7586be624d6244615"},{"introduced":"0"},{"last_affected":"ecae24336a59df917def20f52153238ce66a6942"},{"introduced":"0"},{"last_affected":"a9c2b7b38d25017bd73f8a623492a45572bc52e3"},{"introduced":"0"},{"last_affected":"2239ddf6f4c798e28ba521b26f49c1236d870a65"},{"introduced":"0"},{"last_affected":"c734ee12b33c9f46fcb8c9d4b2ac1fa198e2a8e0"},{"introduced":"0"},{"last_affected":"261e37485a76586fddc858fb0896006fe92139f5"},{"introduced":"0"},{"last_affected":"ecd74399a897b3d7acf92031cd3de7e554f06651"},{"introduced":"0"},{"last_affected":"d5ed9a1d6451267faa802f23cf6a2eccb8372484"},{"introduced":"0"},{"last_affected":"201b2d752efc4c79b0d52d90e95dac1093520d5f"},{"introduced":"0"},{"last_affected":"8d6636aab1c2ae892bff33fe66341eda4017cbb6"},{"introduced":"0"},{"last_affected":"345570109ae2dbdafe05a4270f0c710b7d53d050"},{"introduced":"0"},{"last_affected":"137dc19fcdeee5a5edc230b39d2cc47f01624df7"},{"introduced":"0"},{"last_affected":"dd42a21f3968c165af924310fce460694803756f"},{"introduced":"0"},{"last_affected":"77c0292665bc5e61d0e5108f9cd7e066381f28d3"},{"introduced":"0"},{"last_affected":"75bf620ae7df0967965a02e54e01f47ea5fa6f8c"},{"introduced":"0"},{"last_affected":"d111af1b88b53f2589d017a7cb6d068464d9bf77"},{"introduced":"0"},{"last_affected":"2cc3b278024ca45a72bc847a9457fc138424b16c"},{"introduced":"0"},{"last_affected":"abdcefb460fcbc1348ef04505a78381a2c69a643"},{"introduced":"0"},{"last_affected":"234cb84e832da30b6f53ccca4ef28043aacfcecc"},{"introduced":"0"},{"last_affected":"8b293e1be40b949b8de5d6ff7411c11416fe3d5a"},{"introduced":"0"},{"last_affected":"7482cf902106db2bff9e912cb67bdeea3adf5855"},{"introduced":"0"},{"last_affected":"fc73f6bb2c2a65fadb4a7720af95bf9850733e60"},{"introduced":"0"},{"last_affected":"015e1bec649d84d146b04e0062723c88e350e1b2"},{"introduced":"0"},{"last_affected":"f440f927198c8b4959c727aec80e9b7423a4f548"},{"introduced":"0"},{"last_affected":"5b99ee299031d331da9d4cc393ff1c24e0c8d63b"},{"introduced":"0"},{"last_affected":"28d43f886c5e387dbb496e850782274ec9176160"},{"introduced":"0"},{"last_affected":"58587159f08a5349801671b486cd781baa63cb9f"},{"introduced":"0"},{"last_affected":"1e727d65772327b5d89d89e4825e44484b6dd681"},{"introduced":"0"},{"last_affected":"299f8b15ad1f74ca769b396d915e8369623279f2"},{"introduced":"0"},{"last_affected":"88d3ce96c1ca4ae319a789ff42a8c5c1e4bd69af"},{"introduced":"0"},{"last_affected":"4416e6cd4f9d48c976c169836cd040857448df28"},{"introduced":"0"},{"last_affected":"c467416ee076cfc7b91694628060fdd72c8e1fec"},{"introduced":"0"},{"last_affected":"44ae54f252e6de27efbcd1379ff5083ffccdde6a"},{"introduced":"0"},{"last_affected":"8d2fd1163309e659c7411b7e5557eddb912ec684"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"4.0.0"},{"introduced":"0"},{"last_affected":"4.1.0"},{"introduced":"0"},{"last_affected":"4.2.0"},{"introduced":"0"},{"last_affected":"3.2.1"},{"introduced":"0"},{"last_affected":"3.2.2"},{"introduced":"0"},{"last_affected":"3.2.3"},{"introduced":"0"},{"last_affected":"3.2.4"},{"introduced":"0"},{"last_affected":"3.2.5"},{"introduced":"0"},{"last_affected":"3.2.6"},{"introduced":"0"},{"last_affected":"3.2.7"},{"introduced":"0"},{"last_affected":"3.2.8"},{"introduced":"0"},{"last_affected":"3.2.9"},{"introduced":"0"},{"last_affected":"3.2.10"},{"introduced":"0"},{"last_affected":"3.2.11"},{"introduced":"0"},{"last_affected":"3.2.12"},{"introduced":"0"},{"last_affected":"3.2.13"},{"introduced":"0"},{"last_affected":"3.2.14"},{"introduced":"0"},{"last_affected":"3.2.15"},{"introduced":"0"},{"last_affected":"3.2.16"},{"introduced":"0"},{"last_affected":"3.2.17"},{"introduced":"0"},{"last_affected":"3.2.18"},{"introduced":"0"},{"last_affected":"4.0.1"},{"introduced":"0"},{"last_affected":"4.0.2"},{"introduced":"0"},{"last_affected":"4.0.3"},{"introduced":"0"},{"last_affected":"4.0.4"},{"introduced":"0"},{"last_affected":"4.0.5"},{"introduced":"0"},{"last_affected":"4.0.6"},{"introduced":"0"},{"last_affected":"4.0.7"},{"introduced":"0"},{"last_affected":"4.0.8"},{"introduced":"0"},{"last_affected":"4.0.9"},{"introduced":"0"},{"last_affected":"4.1.1"},{"introduced":"0"},{"last_affected":"4.1.2"},{"introduced":"0"},{"last_affected":"4.1.3"},{"introduced":"0"},{"last_affected":"4.1.4"},{"introduced":"0"},{"last_affected":"4.1.5"},{"introduced":"0"},{"last_affected":"4.1.6"},{"introduced":"0"},{"last_affected":"4.1.7"},{"introduced":"0"},{"last_affected":"4.1.8"},{"introduced":"0"},{"last_affected":"4.1.9"},{"introduced":"0"},{"last_affected":"4.2.1"},{"introduced":"0"},{"last_affected":"4.2.2"},{"introduced":"0"},{"last_affected":"4.2.3"},{"introduced":"0"},{"last_affected":"4.2.4"},{"introduced":"0"},{"last_affected":"4.2.5"},{"introduced":"0"},{"last_affected":"4.2.6"},{"introduced":"0"},{"last_affected":"4.2.7"},{"introduced":"0"},{"last_affected":"4.2.8"},{"introduced":"0"},{"last_affected":"4.2.9"},{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"3.2.1"},{"introduced":"0"},{"last_affected":"3.2.2"},{"introduced":"0"},{"last_affected":"3.2.3"},{"introduced":"0"},{"last_affected":"3.2.4"},{"introduced":"0"},{"last_affected":"3.2.5"},{"introduced":"0"},{"last_affected":"3.2.6"},{"introduced":"0"},{"last_affected":"3.2.7"},{"introduced":"0"},{"last_affected":"3.2.8"},{"introduced":"0"},{"last_affected":"3.2.9"},{"introduced":"0"},{"last_affected":"3.2.10"},{"introduced":"0"},{"last_affected":"4.0.0"},{"introduced":"0"},{"last_affected":"4.0.1"},{"introduced":"0"},{"last_affected":"4.0.2"},{"introduced":"0"},{"last_affected":"4.0.3"},{"introduced":"0"},{"last_affected":"4.0.4"},{"introduced":"0"},{"last_affected":"4.1.0"}]}}],"versions":["v3.2.0.M1","v3.2.0.M2","v3.2.0.RC1","v3.2.0.RC2-A","v3.2.0.RELEASE","v3.2.1.RELEASE","v3.2.10.RELEASE","v3.2.11.RELEASE","v3.2.12.RELEASE","v3.2.13.RELEASE","v3.2.14.RELEASE","v3.2.15.RELEASE","v3.2.16.RELEASE","v3.2.17.RELEASE","v3.2.18.RELEASE","v3.2.2.RELEASE","v3.2.3.RELEASE","v3.2.4.RELEASE","v3.2.5.RELEASE","v3.2.6.RELEASE","v3.2.7.RELEASE","v3.2.8.RELEASE","v3.2.9.RELEASE","v4.0.0.M1","v4.0.0.M2","v4.0.0.M3","v4.0.0.RC1","v4.0.0.RC2","v4.0.0.RELEASE","v4.0.1.RELEASE","v4.0.2.RELEASE","v4.0.3.RELEASE","v4.0.4.RELEASE","v4.0.5.RELEASE","v4.0.6.RELEASE","v4.0.7.RELEASE","v4.0.8.RELEASE","v4.0.9.RELEASE","v4.1.0.RELEASE","v4.1.1.RELEASE","v4.1.2.RELEASE","v4.1.3.RELEASE","v4.1.4.RELEASE","v4.1.5.RELEASE","v4.1.6.RELEASE","v4.1.7.RELEASE","v4.1.8.RELEASE","v4.1.9.RELEASE","v4.2.0.RELEASE","v4.2.1.RELEASE","v4.2.2.RELEASE","v4.2.3.RELEASE","v4.2.4.RELEASE","v4.2.5.RELEASE","v4.2.6.RELEASE","v4.2.7.RELEASE","v4.2.8.RELEASE","v4.2.9.RELEASE"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-5007.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}