CVE-2022-23553 — Alpine allows URL access filter bypass

Description

Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows URL access filter bypass. This issue has been fixed in version 1.10.4. There are no known workarounds.

How to fix CVE-2022-23553

To remediate CVE-2022-23553, upgrade the affected package to a fixed version below.

Maven/us.springett:alpine—upgrade to 1.10.4 or later

Is CVE-2022-23553 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.10.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23553
ADVISORYsecuritylab.github.com/advisories/GHSL-2021-1009-Alpine
PATCHgithub.com/stevespringett/Alpine
WEBgithub.com/stevespringett/Alpine/blob/alpine-parent-1.10.2/alpine/src/main/java/alpine/filters/BlacklistUrlFilter.java#L107-L121