CVE-2022-23554

Name of the Vulnerable Software and Affected Versions Alpine versions prior to 1.10.4

Description The issue concerns Alpine, a Java scaffolding library. It allows an Authentication Filter bypass, where the AuthenticationFilter relies on the request URI to determine if the user is accessing the swagger endpoint. By accessing a URL with a path such as "/api/foo;%2fapi%2fswagger", the contains condition will hold, and the authentication filter will return without aborting the request. Note that the principal object will not be assigned, and therefore, the issue will not allow user impersonation.

Recommendations For Alpine versions prior to 1.10.4, update to version 1.10.4 to resolve the issue. As a temporary workaround, consider restricting access to the swagger endpoint to minimize the risk of exploitation.