Spring Security Vulnerability CVE-2022-22978

Issue date: 29-06-2022
Affects versions: 15.0, 14.7, 13.4

Security Issue ID

SECURITY-305

Affected Product Version(s)

15.0.0, 14.7.6, 13.4.17, and all previous versions

Severity

medium

Description

CVE-2022-22978

In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass

This feature of Spring Security is not used by brXM, so the product is not directly vulnerable. However, it may have been used by customer project code.

Instructions

Update to the latest version.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Spring Security Vulnerability CVE-2022-22978