CVE-2010-3700

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://issues.apache.org/bugzilla/show_bug.cgi?id=25015
http://www.securityfocus.com/bid/44496
http://osvdb.org/68931
http://www.springsource.com/security/cve-2010-3700
http://secunia.com/advisories/42024
http://www.securityfocus.com/archive/1/514517/100/0/threaded

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:vmware:springsource_spring_security:2.0.4:::::::*
	cpe:2.3:a:vmware:springsource_spring_security:2.0.3:::::::*
	cpe:2.3:a:acegisecurity:acegi-security:1.0.4:::::::*
	cpe:2.3:a:acegisecurity:acegi-security:1.0.5:::::::*
	cpe:2.3:a:vmware:springsource_spring_security:2.0.0:::::::*
	cpe:2.3:a:vmware:springsource_spring_security:2.0.5:::::::*
	cpe:2.3:a:acegisecurity:acegi-security:1.0.2:::::::*
	cpe:2.3:a:acegisecurity:acegi-security:1.0.3:::::::*
	cpe:2.3:a:vmware:springsource_spring_security:3.0.0:::::::*
	cpe:2.3:a:vmware:springsource_spring_security:3.0.1:::::::*
	cpe:2.3:a:vmware:springsource_spring_security:2.0.2:::::::*
	cpe:2.3:a:acegisecurity:acegi-security:1.0.1:::::::*
	cpe:2.3:a:vmware:springsource_spring_security:3.0.2:::::::*
	cpe:2.3:a:acegisecurity:acegi-security:1.0.6:::::::*
	cpe:2.3:a:acegisecurity:acegi-security:1.0.0:::::::*
	cpe:2.3:a:vmware:springsource_spring_security:3.0.3:::::::*
	cpe:2.3:a:vmware:springsource_spring_security:2.0.1:::::::*
	cpe:2.3:a:acegisecurity:acegi-security:1.0.7:::::::*

OR	cpe:2.3:a:ibm:websphere_application_server:7.0:::::::*
	cpe:2.3:a:ibm:websphere_application_server:6.1:::::::*

Information

Published : 2010-10-29 12:00

Updated : 2018-10-10 13:05

NVD link : CVE-2010-3700

Mitre link : CVE-2010-3700

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

acegisecurity

acegi-security

ibm

websphere_application_server

vmware

springsource_spring_security

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=25015", "name": "https://issues.apache.org/bugzilla/show_bug.cgi?id=25015", "tags": [], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/44496", "name": "44496", "tags": [], "refsource": "BID"}, {"url": "http://osvdb.org/68931", "name": "68931", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.springsource.com/security/cve-2010-3700", "name": "http://www.springsource.com/security/cve-2010-3700", "tags": [], "refsource": "CONFIRM"}, {"url": "http://secunia.com/advisories/42024", "name": "42024", "tags": [], "refsource": "SECUNIA"}, {"url": "http://www.securityfocus.com/archive/1/514517/100/0/threaded", "name": "20101027 CVE-2010-3700: Spring Security bypass of security constraints", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2010-3700", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2010-10-29T19:00Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:2.0.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:2.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:acegisecurity:acegi-security:1.0.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:acegisecurity:acegi-security:1.0.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:2.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:2.0.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:acegisecurity:acegi-security:1.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:acegisecurity:acegi-security:1.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:3.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:3.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:2.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:acegisecurity:acegi-security:1.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:3.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:acegisecurity:acegi-security:1.0.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:acegisecurity:acegi-security:1.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:3.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vmware:springsource_spring_security:2.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:acegisecurity:acegi-security:1.0.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-10T20:05Z"}

5.0 /10