CVE-2022-22978 – org.springframework.security:spring-security-web

Package

Manager: maven
Name: org.springframework.security:spring-security-web
Vulnerable Version: >=5.5.0 <5.5.7 || >=5.6.0 <5.6.4 || >=0 <5.4.11

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.90791 pctl0.99607

Details

Authorization bypass in Spring Security In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Metadata

Created: 2022-05-20T00:00:39Z
Modified: 2024-10-04T20:22:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hh32-7344-cg2f/GHSA-hh32-7344-cg2f.json
CWE IDs: ["CWE-285", "CWE-863"]
Alternative ID: GHSA-hh32-7344-cg2f
Finding: F039
Auto approve: 1