CVE-2011-2732 — Improper Control of Generation of Code in Spring Security

Description

CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.

How to fix CVE-2011-2732

To remediate CVE-2011-2732, upgrade the affected package to a fixed version below.

Maven/org.springframework.security:spring-security-core—upgrade to 2.0.7 or later

Is CVE-2011-2732 being exploited?

Moderate — EPSS is 7.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.0.7

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-2732
PATCHgithub.com/spring-projects/spring-security
WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=677814
WEBsupport.springsource.com/security/cve-2011-2732