2087606 – (CVE-2022-22978) CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher

Bug 2087606 (CVE-2022-22978) - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher

Summary: CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-22978
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2087941
Blocks:	2087215
TreeView+	depends on / blocked

Reported:	2022-05-18 05:45 UTC by Sandipan Roy
Modified:	2023-05-24 17:10 UTC (History)
CC List:	63 users (show)
Fixed In Version:	spring-security 5.5.7, spring-security 5.6.4, spring-security 5.7.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Clone Of:
Environment:
Last Closed:	2022-07-07 21:10:55 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5532	0	None	None	None	2022-07-07 14:23:25 UTC
Red Hat Product Errata	RHSA-2023:3299	0	None	None	None	2023-05-24 17:10:44 UTC

Description Sandipan Roy 2022-05-18 05:45:03 UTC

In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.

Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
https://tanzu.vmware.com/security/cve-2022-22978

Comment 1 Patrick Del Bello 2022-05-18 15:00:33 UTC

Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 2087941]

Comment 3 errata-xmlrpc 2022-07-07 14:23:21 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532

Comment 4 Product Security DevOps Team 2022-07-07 21:10:50 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22978

Comment 9 errata-xmlrpc 2023-05-24 17:10:40 UTC

This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299

Note You need to log in before you can comment on or make changes to this bug.

abenaiss
aboyko
aileenc
alazarot
anstephe
avibelli
bgeorges
boliveir
chazlett
clement.escoffier
cmoulliard
dandread
dchen
dkreling
drieden
ellin
emingora
etirelli
extras-orphan
ggaughan
gmalinko
gsmet
hamadhan
hbraun
ibek
ikanello
janstey
java-sig-commits
jnethert
jochrist
jolee
jrokos
jross
jschatte
jstastny
jwon
krathod
kverlaen
lthon
mnovotny
mszynkie
pantinor
pdelbell
pdrozd
peholase
pgallagh
pjindal
probinso
pskopek
puntogil
rareddy
rguimara
rrajasek
rruss
rsvoboda
sbiarozk
scorneli
sdouglas
shbose
sthorger
swoodman
tzimanyi
wlovaton