CVE-2023-38493

Name of the Vulnerable Software and Affected Versions Armeria versions prior to 1.24.3

Description The issue arises when Spring integration is used in Armeria, and the framework calls Spring controllers via TomcatService or JettyService with paths containing matrix variables. In such cases, the Armeria decorators may not be invoked due to the presence of matrix variables, potentially allowing an attacker to bypass the authorizer by sending a specially crafted request. For example, a request to /important;a=b/resources could bypass the authorizer.

Recommendations For versions prior to 1.24.3, update to version 1.24.3 to resolve the issue. As a temporary workaround, consider adding decorators using regex, such as "regex:^/important.*", to ensure that the authorizer is invoked correctly.