Critical severityNVD Advisory· Published May 19, 2022· Updated Aug 3, 2024
CVE-2022-22978
CVE-2022-22978
Description
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | >= 5.5.0, < 5.5.7 | 5.5.7 |
org.springframework.security:spring-security-coreMaven | >= 5.6.0, < 5.6.4 | 5.6.4 |
org.springframework.security:spring-security-coreMaven | < 5.4.11 | 5.4.11 |
org.springframework.security:spring-security-webMaven | >= 5.5.0, < 5.5.7 | 5.5.7 |
org.springframework.security:spring-security-webMaven | >= 5.6.0, < 5.6.4 | 5.6.4 |
org.springframework.security:spring-security-webMaven | < 5.4.11 | 5.4.11 |
Affected products
1- Range: Spring security versions 5.4.x prior to 5.4.11+,5.5.x prior to 5.5.7+,5.6.x prior to 5.6.4+ and all earlier unsupported versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-hh32-7344-cg2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22978ghsaADVISORY
- github.com/anchore/grype/issues/2158ghsaWEB
- github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.javaghsaWEB
- security.netapp.com/advisory/ntap-20220707-0003ghsaWEB
- spring.io/security/cve-2022-22978ghsaWEB
- tanzu.vmware.com/security/cve-2022-22978ghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
News mentions
0No linked articles in our index yet.