CVE-2022-22978 — Authorization bypass in Spring Security

Description

In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

How to fix CVE-2022-22978

To remediate CVE-2022-22978, upgrade the affected package to a fixed version below.

—upgrade to 5.5.7 or later
—upgrade to 5.5.7 or later

Is CVE-2022-22978 being exploited?

Likely — EPSS is 90.2%, placing CVE-2022-22978 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

>= 5.5.0, < 5.5.7
>= 5.5.0, < 5.5.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-22978
PATCHgithub.com/spring-projects/spring-security
WEBgithub.com/anchore/grype/issues/2158
WEBgithub.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java