GoogleOSV:GHSA-WVP2-9PPW-337JPaths contain matrix variables bypass decorators
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
24.3%
Impact
Spring supports Matrix variables.
When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path
that may contain matrix variables.
In this situation, the Armeria decorators might not invoked because of the matrix variables.
Let’s see the following example:
// Spring controller
@GetMapping("/important/resources")
public String important() {...}
// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);
If an attacker sends a request with /important;a=b/resources, the request would bypass the authrorizer
Patches
Workarounds
Users can add decorators using regex. e.g. "regex:^/important.*"
References
docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html
github.com/line/armeria
github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07
github.com/line/armeria/commit/49e04ef231ad65750739529c7fa4ce946ff7588b
github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j
nvd.nist.gov/vuln/detail/CVE-2023-38493
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
24.3%