Authorization Bypass Affecting org.springframework.security:spring-security-web Open this link in a new tab package, versions [,5.5.7) [5.6.0 ,5.6.4)


0.0
high
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-2833359

  • published

    18 May 2022

  • disclosed

    18 May 2022

  • credit

    Hiroki Nishino, Toshiki Sasazaki, Yoshinori Hayashi, Jonghwan Kim

How to fix?

Upgrade org.springframework.security:spring-security-web to version 5.5.7, 5.6.4 or higher.

Overview

org.springframework.security:spring-security-web is a package within Spring Security that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Authorization Bypass via the RegexRequestMatcher class, which can easily be misconfigured to be bypassed on some servlet containers when it is used with . in the regular expression.