Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Spring Security Authentication Bypass - Vulnerability Database

Spring Security Authentication Bypass

Description

A path matching inconsistency exists between Spring Security and Spring Framework that can lead to authentication bypass. Spring Security uses URL pattern matching to determine which resources require authentication, while Spring Framework uses similar patterns to route requests to controllers. Due to differences in how these components handle path matching—particularly regarding whitespace trimming and pattern strictness—certain URLs may be mapped to protected controllers by Spring Framework but not recognized as protected by Spring Security. This mismatch creates a security gap where authenticated endpoints become accessible without proper authorization.

Remediation

Apply the following remediation steps based on your Spring version:

Recommended Solution (Upgrade):

  • Upgrade to Spring Security 4.1.1 or later AND Spring Framework 4.3.1 or later
  • Configure Spring Security to use MvcRequestMatcher instead of AntPathRequestMatcher for URL authorization. This delegates pattern matching to Spring Framework, ensuring consistency:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .mvcMatchers("/admin/**").hasRole("ADMIN")
            .mvcMatchers("/api/**").authenticated();
    }
}

Alternative Solutions:
  • For Spring Framework 4.3.0+: Upgrading to 4.3.0 or later automatically sets trimTokens to false in AntPathMatcher, reducing inconsistencies
  • For Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x: Manually configure AntPathMatcher to disable token trimming using MVC Java config or XML namespace configuration:
@Configuration
@EnableWebMvc
public class WebMvcConfig implements WebMvcConfigurer {
    @Override
    public void configurePathMatch(PathMatchConfigurer configurer) {
        AntPathMatcher matcher = new AntPathMatcher();
        matcher.setTrimTokens(false);
        configurer.setPathMatcher(matcher);
    }
}

Defense in Depth:
  • Implement method-level security using @Secured, @PreAuthorize, or @RolesAllowed annotations on controller methods as an additional layer of protection
  • Conduct thorough testing of all protected endpoints with various URL formats including trailing slashes, encoded characters, and whitespace variations

Affected Versions:
  • Spring Security: 3.2.x, 4.0.x, 4.1.0 and older unsupported versions
  • Spring Framework: 3.2.x, 4.0.x, 4.1.x, 4.2.x and older unsupported versions

References

CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency

Related Vulnerabilities

Microsoft ASP.NET Forms authentication bypass High
Common tags: Authentication Bypass
WordPress Plugin Thrive Comments Security Bypass (1.4.15.2) High
Common tags: Authentication Bypass
WordPress Plugin Elementor Website Builder Security Bypass (3.0.13) High
Common tags: Authentication Bypass
WordPress Plugin Limit Login Attempts Reloaded Security Bypass (2.17.3) High
Common tags: Authentication Bypass
WordPress Plugin Ultimate GDPR & CCPA Compliance Toolkit for WordPress Security Bypass (2.4) High
Common tags: Authentication Bypass

Severity

High

Classification

CVE-2016-5007
CWE-287
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Authentication Bypass