Home

CVE-2022-22978

Description

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
90.406

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2022-22978 are fixed in spring-security-web 5.5.7Windows
Vulnerabilities CVE-2022-22978 are fixed in spring-security-web 5.6.4Windows
Vulnerabilities CVE-2022-22978 are fixed in spring-security-web 5.4.11Windows
Vulnerabilities CVE-2022-22978,CVE-2022-22976 are fixed in Spring-security-core 5.6.4Windows
Vulnerabilities CVE-2022-22978,CVE-2022-22976 are fixed in Spring-security-core 5.5.7Windows
Vulnerabilities CVE-2022-22978 are fixed in Spring-security-core 5.4.11Windows
Multiple Vulnerabilities are affected in Netapp Active Iq Unified Manager 2.3Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.7Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.2.1Windows
Vulnerabilities CVE-2022-22978 are fixed in spring-security-web for Linux 5.5.7Linux
Vulnerabilities CVE-2022-22978 are fixed in spring-security-web for Linux 5.6.4Linux
Vulnerabilities CVE-2022-22978 are fixed in spring-security-web for Linux 5.4.11Linux
Vulnerabilities CVE-2022-22978,CVE-2022-22976 are fixed in Spring-security-core for Linux 5.6.4Linux
Vulnerabilities CVE-2022-22978,CVE-2022-22976 are fixed in Spring-security-core for Linux 5.5.7Linux
Vulnerabilities CVE-2022-22978 are fixed in Spring-security-core for Linux 5.4.11Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234