Authorization bypass in Spring Security
Critical severity
GitHub Reviewed
Published
May 20, 2022
to the GitHub Advisory Database
•
Updated Jul 5, 2024
Package
Affected versions
>= 5.6.0, < 5.6.4
>= 5.5.0, < 5.5.7
< 5.4.11
Patched versions
5.6.4
5.5.7
5.4.11
Description
Published by the National Vulnerability Database
May 19, 2022
Published to the GitHub Advisory Database
May 20, 2022
Reviewed
May 25, 2022
Last updated
Jul 5, 2024
In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with
.
in the regular expression are possibly vulnerable to an authorization bypass.References