In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with .
in the regular expression are possibly vulnerable to an authorization bypass.
[
{
"vendor": "n/a",
"product": "Spring Security",
"versions": [
{
"version": "Spring security versions 5.4.x prior to 5.4.11+,5.5.x prior to 5.5.7+,5.6.x prior to 5.6.4+ and all earlier unsupported versions",
"status": "affected"
}
]
}
]