Security context
High· 7.5GHSA-4487-x383-qpph CVE-2018-1272Published Oct 17, 2018

Possible privilege escalation in org.springframework:spring-core

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 4.3.155.0.0 → fixed in 5.0.5

Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

The fix

MimeTypeUtils uses SecureRandom

Rossen Stoyanchev· Mar 24, 2018, 01:45 AM+21ab2410c754
spring-core/src/main/java/org/springframework/util/MimeTypeUtils.java+2 1
@@ -18,6 +18,7 @@
import java.nio.charset.StandardCharsets;
import java.nio.charset.UnsupportedCharsetException;
+import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -45,7 +46,7 @@ public abstract class MimeTypeUtils {
'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U',
'V', 'W', 'X', 'Y', 'Z'};
- private static final Random RND = new Random();
+ private static final Random RND = new SecureRandom();
/**
* Comparator used by {@link #sortBySpecificity(List)}.

MimeTypeUtils uses SecureRandom

Rossen Stoyanchev· Mar 24, 2018, 01:52 AM+32e02ff3a0da
spring-core/src/main/java/org/springframework/util/MimeTypeUtils.java+3 2
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
import java.nio.charset.Charset;
import java.nio.charset.UnsupportedCharsetException;
+import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -46,7 +47,7 @@ public abstract class MimeTypeUtils {
'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U',
'V', 'W', 'X', 'Y', 'Z'};
- private static final Random RND = new Random();
+ private static final Random RND = new SecureRandom();
private static Charset US_ASCII = Charset.forName("US-ASCII");

References