7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
24.3%
Spring supports Matrix variables.
When Spring integration is used, Armeria calls Spring controllers via TomcatService
or JettyService
with the path
that may contain matrix variables.
In this situation, the Armeria decorators might not invoked because of the matrix variables.
Let’s see the following example:
// Spring controller
@GetMapping("/important/resources")
public String important() {...}
// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);
If an attacker sends a request with /important;a=b/resources
, the request would bypass the authrorizer
Users can add decorators using regex. e.g. "regex:^/important.*"
docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html
github.com/line/armeria
github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07
github.com/line/armeria/commit/49e04ef231ad65750739529c7fa4ce946ff7588b
github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j
nvd.nist.gov/vuln/detail/CVE-2023-38493