Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13dnAyLTlwcHctMzM3as4AA04j
Paths contain matrix variables bypass decorators
Impact
Spring supports Matrix variables.
When Spring integration is used, Armeria calls Spring controllers via TomcatService
or JettyService
with the path
that may contain matrix variables.
In this situation, the Armeria decorators might not invoked because of the matrix variables.
Let's see the following example:
// Spring controller
@GetMapping("/important/resources")
public String important() {...}
// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);
If an attacker sends a request with /important;a=b/resources
, the request would bypass the authrorizer
Patches
Workarounds
Users can add decorators using regex. e.g. "regex:^/important.*"
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13dnAyLTlwcHctMzM3as4AA04j
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-wvp2-9ppw-337j, CVE-2023-38493
References:
- https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j
- https://github.com/line/armeria/commit/49e04ef231ad65750739529c7fa4ce946ff7588b
- https://nvd.nist.gov/vuln/detail/CVE-2023-38493
- https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07
- https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html
- https://github.com/advisories/GHSA-wvp2-9ppw-337j
Blast Radius: 18.0
Affected Packages
maven:com.linecorp.armeria:armeria
Dependent packages: 160Dependent repositories: 253
Downloads:
Affected Version Ranges: <= 1.24.2
Fixed in: 1.24.3
All affected versions: 0.32.0, 0.33.0, 0.33.1, 0.34.0, 0.34.1, 0.35.0, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.46.1, 0.46.2, 0.46.3, 0.46.4, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.52.1, 0.53.0, 0.53.1, 0.53.2, 0.54.0, 0.54.1, 0.54.2, 0.55.0, 0.55.1, 0.56.0, 0.56.1, 0.57.0, 0.58.0, 0.58.1, 0.59.0, 0.59.1, 0.59.2, 0.60.0, 0.61.0, 0.62.0, 0.63.0, 0.63.1, 0.64.0, 0.65.0, 0.65.1, 0.66.0, 0.67.0, 0.67.1, 0.67.2, 0.68.0, 0.68.1, 0.68.2, 0.69.0, 0.70.0, 0.70.1, 0.71.0, 0.71.1, 0.72.0, 0.73.0, 0.74.0, 0.74.1, 0.75.0, 0.76.0, 0.76.1, 0.76.2, 0.77.0, 0.78.0, 0.78.1, 0.78.2, 0.79.0, 0.80.0, 0.81.0, 0.81.1, 0.82.0, 0.83.0, 0.84.0, 0.85.0, 0.86.0, 0.87.0, 0.88.0, 0.89.0, 0.89.1, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.95.0, 0.96.0, 0.97.0, 0.98.0, 0.98.1, 0.98.2, 0.98.3, 0.98.4, 0.98.5, 0.98.6, 0.98.7, 0.99.0, 0.99.1, 0.99.2, 0.99.3, 0.99.4, 0.99.5, 0.99.6, 0.99.7, 0.99.8, 0.99.9, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.21.0, 1.22.0, 1.22.1, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.24.2
All unaffected versions: 1.24.3, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.28.0, 1.28.1