Incorrect Authorization Affecting com.linecorp.armeria:armeria package, versions [,1.24.3)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMLINECORPARMERIA-5805287
- published 26 Jul 2023
- disclosed 26 Jul 2023
- credit Unknown
Introduced: 26 Jul 2023
CVE-2023-38493 Open this link in a new tabHow to fix?
Upgrade com.linecorp.armeria:armeria to version 1.24.3 or higher.
Overview
com.linecorp.armeria:armeria is an asynchronous HTTP/2 RPC/REST client/server library built on top of Java 8, Netty, Thrift and gRPC (armeria)
Affected versions of this package are vulnerable to Incorrect Authorization. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. The Armeria decorators might not be invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer.
Workaround
Users who are unable to upgrade to the fixed version can add decorators using regex. e.g. regex:^/important.*
PoC
// Spring controller
@GetMapping("/important/resources")
public String important() {...}
// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);
If an attacker sends a request with /important;a=b/resources, the request would bypass the authorizer.