Spring Security Advisories

Session id generation in the Java SockJS client is not sufficiently secure and could allow a user to send messages to another user’s session.

Note that this only affects users of the Java SockJS client, which generates its own session id. It does not affect browser clients even if they’re connecting to the same server.

Furthermore, since SockJS is a transport layer, when using a higher level messaging protocol on top such as STOMP over WebSocket with the spring-messaging module, application-level security may already be getting applied to STOMP messages and that can neutralize the impact of any potential attacks.

Some URLs were not santized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which the Spring web application was running.

Some URLs were not sanitized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which the Spring web application was running.

When using Spring Security's CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request.

This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed.

If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.

When processing user provided XML documents, the Spring Framework did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form.

The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default.

The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability.

Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. It was subsequently discovered that this fix was also incomplete (CVE-2014-0054).