Lucene search

[email protected]NVD:CVE-2022-22978

HistoryMay 19, 2022 - 3:15 p.m.

CVE-2022-22978

2022-05-1915:15:08

CWE-863

[email protected]

web.nvd.nist.gov

spring security

regexrequestmatcher

authorization bypass

cve-2022-22978

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.009

Percentile

82.3%

JSON

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Affected configurations

Nvd

Node

vmwarespring_securityRange<5.5.7

vmwarespring_securityRange5.6.0–5.6.4

Node

oraclefinancial_services_crime_and_compliance_management_studioMatch8.0.8.2.0

oraclefinancial_services_crime_and_compliance_management_studioMatch8.0.8.3.0

Node

netappactive_iq_unified_managerMatch-linux

netappactive_iq_unified_managerMatch-vmware_vsphere

netappactive_iq_unified_managerMatch-windows

VendorProductVersionCPE
vmwarespring_security*cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
oraclefinancial_services_crime_and_compliance_management_studio8.0.8.2.0cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
oraclefinancial_services_crime_and_compliance_management_studio8.0.8.3.0cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*

Vendor	Product	Version	CPE
vmware	spring_security	*	cpe:2.3:a:vmware:spring_security::::::::
oracle	financial_services_crime_and_compliance_management_studio	8.0.8.2.0	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::*
oracle	financial_services_crime_and_compliance_management_studio	8.0.8.3.0	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::*
netapp	active_iq_unified_manager	-	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
netapp	active_iq_unified_manager	-	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
netapp	active_iq_unified_manager	-	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::