Authorization Bypass Vulnerability in Spring Security Framework
CVE-2022-22978

9.8CRITICAL

Key Information:

Vendor: Vmware
Status: Spring Security
Vendor: CVE Published:; 19 May 2022

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Certain versions of the Spring Security framework are vulnerable to an authorization bypass that arises from improper configuration of the RegexRequestMatcher. Specifically, applications utilizing regular expressions containing . may allow unauthorized access, particularly on specific servlet containers. To mitigate this risk, users are encouraged to upgrade to the latest patched versions of Spring Security and review their regex configurations.

Affected Version(s)

Spring Security Spring security versions 5.4.x prior to 5.4.11+,5.5.x prior to 5.5.7+,5.6.x prior to 5.6.4+ and all earlier unsupported versions

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-22978-PoC
Created by ducluongtran9121

CVE-2022-22978
Created by DeEpinGh0st

CVE-2022-22978
Created by aeifkz

References

https://spring.io/security/cve-2022-22978

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
May 17, 2024
👾
Exploit known to exist
May 17, 2024
Vulnerability published
May 19, 2022
Vulnerability Reserved
Jan 10, 2022