Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-9469

Spring Security / MVC Path Matching Inconsistency

XMLWordPrintable

      An anonymous user can gain read-only access to some administrative pages by crafting a malicious GET request. This vulnerability was originally detected in Spring Security (CVE-5006).

      Customers who have downloaded and installed Bitbucket Server (formerly Stash) >= 2.4.2 less than 4.8.x
      Please upgrade your Bitbucket Server (formerly Stash) installations to fix this vulnerability.

      A known fix for this problem is detailed below:

      <!-- JSR-303 (bean validations) support will be detected on classpath and enabled automatically -->
          <mvc:annotation-driven validator="validator">
              <mvc:message-converters>
                  <bean class="org.springframework.http.converter.BufferedImageHttpMessageConverter"/>
              </mvc:message-converters>
              <mvc:path-matching suffix-pattern="false"  path-matcher="pathMatcher"  />
          </mvc:annotation-driven>
          <bean id="pathMatcher" class="org.springframework.util.AntPathMatcher">
      	    <property name="trimTokens" value="false" />
          </bean>
      

            mhart@atlassian.com Matt Hart (Inactive)
            mhart@atlassian.com Matt Hart (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: