Spring Security security bypass | CVE-2022-22978

May 21, 2022

NAME

Spring Security security bypass

  • Platforms Affected:
    Spring Spring Security 5.5.6
    Spring Spring Security 5.6.3
  • Risk Level:
    8.2
  • Exploitability:
    Unproven
  • Consequences:
    Bypass Security

DESCRIPTION

Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw in the RegexRequestMatcher component. By misconfiguring RegexRequestMatcher with `.` in the regular expression, an attacker could exploit this vulnerability to bypass authorization and obtain access.

CVSS 3.0 Information

  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Access Vector: Network
  • Access Complexity: Low
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None
  • Remediation Level: Official Fix

MITIGATION

Refer to the Spring Web site for patch, upgrade or suggested workaround information. See References.

  • Reference Link:
    https://tanzu.vmware.com/security/cve-2022-22978
  • Reference Link:
    https://spring.io/blog/2022/05/15/cve-2022-22978-authorization-bypass-in-regexrequestmatcher

If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.

Digital Patreon Wordmark FieryCoralv2

You may have missed

CISA Logo

CISA: Foreign Threat Actor Conducting Large-Scale Spearphishing Campaign with RDP Attachments

November 22, 2024
image

[RANSOMHUB] – Ransomware Victim: blr[.]com

November 22, 2024
hackerone

HackerOne Bug Bounty Disclosure: std-process-command-batch-files-argument-escaping-could-be-bypassed-with-trailing-whitespace-or-periods–xpl-r-r

November 22, 2024
image

[LOCKBIT3] – Ransomware Victim: madison-home[.]com

November 22, 2024
image

[CHORT] – Ransomware Victim: sheboyganwi[.]gov

November 22, 2024