Spring Security Vulnerability CVE-2022-22978 

Issue date: 29-06-2022
Affects versions: 15.0, 14.7, 13.4

Security Issue ID

SECURITY-305

 

Affected Product Version(s)

15.0.0, 14.7.6, 13.4.17, and all previous versions


Severity 

medium


Description

CVE-2022-22978

In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass

This feature of Spring Security is not used by brXM, so the product is not directly vulnerable. However, it may have been used by customer project code.

Instructions

Update to the latest version.