High severityNVD Advisory· Published Jul 25, 2023· Updated Oct 3, 2024
Paths contain matrix variables bypass decorators
CVE-2023-38493
Description
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.linecorp.armeria:armeriaMaven | < 1.24.3 | 1.24.3 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-wvp2-9ppw-337jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-38493ghsaADVISORY
- docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.htmlghsax_refsource_MISCWEB
- github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07ghsax_refsource_MISCWEB
- github.com/line/armeria/commit/49e04ef231ad65750739529c7fa4ce946ff7588bghsaWEB
- github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.