| Snyk

Threat Intelligence

Proof of concept

0.08% (38^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Incorrect Authorization vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JAVA-COMLINECORPARMERIA-5805287
published26 Jul 2023
disclosed26 Jul 2023
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 26 Jul 2023

CVE-2023-38493 (opens in a new tab) CWE-863 (opens in a new tab)

How to fix?

Upgrade com.linecorp.armeria:armeria to version 1.24.3 or higher.

Overview

com.linecorp.armeria:armeria is an asynchronous HTTP/2 RPC/REST client/server library built on top of Java 8, Netty, Thrift and gRPC (armeria)

Affected versions of this package are vulnerable to Incorrect Authorization. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. The Armeria decorators might not be invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer.

Workaround

Users who are unable to upgrade to the fixed version can add decorators using regex. e.g. regex:^/important.*

PoC

// Spring controller
@GetMapping("/important/resources")
public String important() {...}

// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);

If an attacker sends a request with /important;a=b/resources, the request would bypass the authorizer.

References

CVSS Scores

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Privileges Required (PR)
None
User Interaction (UI)
None

Scope (S)
Unchanged

Confidentiality (C)
High
Integrity (I)
None
Availability (A)
None

Incorrect Authorization Affecting com.linecorp.armeria:armeria package, versions [,1.24.3)

Severity