ghsa-wvp2-9ppw-337j
Vulnerability from github
Published
2023-07-25 18:24
Modified
2023-07-25 18:24
Severity ?
Summary
Paths contain matrix variables bypass decorators
Details
Impact
Spring supports Matrix variables.
When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path
that may contain matrix variables.
In this situation, the Armeria decorators might not invoked because of the matrix variables.
Let's see the following example:
```
// Spring controller
@GetMapping("/important/resources")
public String important() {...}
// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);
``
If an attacker sends a request with/important;a=b/resources`, the request would bypass the authrorizer
Patches
- https://github.com/line/armeria-ghsa-wvp2-9ppw-337j/commit/9b0ec3e099cc05fbff11d7f1012a1dddb0000d0c
Workarounds
Users can add decorators using regex. e.g. "regex:^/important.*"
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.24.2"
},
"package": {
"ecosystem": "Maven",
"name": "com.linecorp.armeria:armeria"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38493"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-25T18:24:39Z",
"nvd_published_at": "2023-07-25T21:15:10Z",
"severity": "HIGH"
},
"details": "### Impact\nSpring supports [Matrix variables](https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html).\nWhen Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path\nthat may contain matrix variables.\nIn this situation, the Armeria decorators might not invoked because of the matrix variables.\nLet\u0027s see the following example:\n```\n// Spring controller\n@GetMapping(\"/important/resources\")\npublic String important() {...}\n\n// Armeria decorator\nServerBuilder sb = ...\nsb.decoratorUnder(\"/important/\", authService);\n```\nIf an attacker sends a request with `/important;a=b/resources`, the request would bypass the authrorizer\n\n### Patches\n- https://github.com/line/armeria-ghsa-wvp2-9ppw-337j/commit/9b0ec3e099cc05fbff11d7f1012a1dddb0000d0c\n\n### Workarounds\nUsers can add decorators using regex. `e.g. \"regex:^/important.*\"`\n",
"id": "GHSA-wvp2-9ppw-337j",
"modified": "2023-07-25T18:24:39Z",
"published": "2023-07-25T18:24:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38493"
},
{
"type": "WEB",
"url": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07"
},
{
"type": "WEB",
"url": "https://github.com/line/armeria/commit/49e04ef231ad65750739529c7fa4ce946ff7588b"
},
{
"type": "WEB",
"url": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/line/armeria"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Paths contain matrix variables bypass decorators"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.