Alpine is vulnerable to authorization bypass.The vulnerability exists in doFilter
functions of BlacklistUrlFilter.java
and WhitelistUrlFilter.java
allows an attacker to bypass administrative restrictions via executable WAR files.
github.com/stevespringett/Alpine/blob/alpine-parent-1.10.2/alpine/src/main/java/alpine/filters/BlacklistUrlFilter.java#L107-L121
github.com/stevespringett/Alpine/blob/alpine-parent-1.10.2/alpine/src/main/java/alpine/filters/WhitelistUrlFilter.java#L115-L127
github.com/stevespringett/Alpine/commit/a7432184b9137ea095799a77f9ced370553acbd7
securitylab.github.com/advisories/GHSL-2021-1009-Alpine/