CVE-2022-22978

Name of the Vulnerable Software and Affected Versions Spring Security versions prior to 5.4.11 Spring Security versions prior to 5.5.7 Spring Security versions prior to 5.6.4 Spring Security older unsupported versions

Description The issue is related to the RegexRequestMatcher component in Spring Security, which can be misconfigured, allowing for an authorization bypass on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable. The vulnerability can be exploited by a remote attacker to elevate their privileges. The issue can be triggered using symbols such as %0d or %0a.

Recommendations For Spring Security versions prior to 5.4.11, update to version 5.4.11 or later. For Spring Security versions prior to 5.5.7, update to version 5.5.7 or later. For Spring Security versions prior to 5.6.4, update to version 5.6.4 or later. For Spring Security older unsupported versions, consider upgrading to a supported version. As a temporary workaround, consider avoiding the use of . in the regular expression for RegexRequestMatcher until a patch is available. Restrict access to the RegexRequestMatcher component to minimize the risk of exploitation.