CVE-2022-22978

Summary

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Affected Software

VendorProductVersion RangeStatus
n/aSpring SecuritySpring security versions 5.4.x prior to 5.4.11+,5.5.x prior to 5.5.7+,5.6.x prior to 5.6.4+ and all earlier unsupported versionsaffected

Weaknesses

  • CWE-863: CWE-863- improper authorization

ADP Enrichment

CVE Program Container

Additional References

References