CVE-2022-22978

Authorization bypass in Spring Security in maven/org.springframework.security/spring-security-web

Identifiers

CVE-2022-22978, GHSA-hh32-7344-cg2f

Package Slug

maven/org.springframework.security/spring-security-web

Vulnerability

Authorization bypass in Spring Security

Description

In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Affected Versions

All versions before 5.5.7, all versions starting from 5.6.0 before 5.6.4

Solution

Upgrade to versions 5.5.7, 5.6.4 or above.

Last Modified

2023-09-06

source