CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 6CVE-2022-22978 – springframework: Authorization Bypass in RegexRequestMatcher
https://notcve.org/view.php?id=CVE-2022-22978
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. En las versiones 5.5.6 y 5.6.3 de Spring Security y en versiones anteriores no soportadas, RegexRequestMatcher puede ser fácilmente configurado de forma incorrecta para ser evitado en algunos contenedores de servlets. Las aplicaciones que utilizan RegexRequestMatcher con `.` en la expresión regular son posiblemente vulnerables a un bypass de autorización A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. • https://github.com/DeEpinGh0st/CVE-2022-22978 https://github.com/ducluongtran9121/CVE-2022-22978-PoC https://github.com/aeifkz/CVE-2022-22978 https://github.com/umakant76705/CVE-2022-22978 https://github.com/Raghvendra1207/CVE-2022-22978 https://github.com/wan9xx/CVE-2022-22978-demo https://spring.io/security/cve-2022-22978 https://access.redhat.com/security/cve/CVE-2022-22978 https://bugzilla.redhat.com/show_bug.cgi?id=2087606 • CWE-863: Incorrect Authorization CWE-1220: Insufficient Granularity of Access Control •
CVSS: 9.0EPSS: 0%CPEs: 11EXPL: 0CVE-2021-22112
https://notcve.org/view.php?id=CVE-2021-22112
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application. Spring Security versiones 5.4.x anteriores a 5.4.4, versiones 5.3.x anteriores a 5.3.8.RELEASE, versiones 5.2.x anteriores a 5.2.9.RELEASE, y versiones anteriores no compatibles, pueden producir un fallo al guardar el SecurityContext si se cambia más de una vez en una sola petición. Un usuario malicioso no puede causar el error (debe estar programado). Sin embargo, si la intención de la aplicación es sólo permitir que el usuario solo se ejecute con privilegios elevados en una pequeña parte de la aplicación, el error puede ser aprovechado para extender esos privilegios al resto de la aplicación • http://www.openwall.com/lists/oss-security/2021/02/19/7 https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14%40%3Cpluto-dev.portals.apache.org%3E https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804%40%3Cpluto-scm.portals.apache.org%3E https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177%40%3Cpluto-dev.portals.apache.org%3E https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3%40%3Cpluto-dev.portals.apache. •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0CVE-2011-2894 – Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization
https://notcve.org/view.php?id=CVE-2011-2894
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. Spring Framework v3.0.0 hasta la v3.0.5, v3.0.0 hasta la de Spring Security v3.0.5 y v2.0.0 y v2.0.6, y posiblemente otras versiones permite des-serializar objetos de fuentes no fiables, lo que permite a atacantes remotos eludir las restricciones de seguridad existentes y permite la ejecución de código no seguro (1) serializando una instancia de java.lang.Proxy y mediante el uso de InvocationHandler, o (2) accediendo a las interfaces internas AOP, como se demuestra con la des-serialización de una instancia de DefaultListableBeanFactory para ejecutar código arbitrario a través de la clase java.lang.Runtime. • http://osvdb.org/75263 http://securityreason.com/securityalert/8405 http://www.redhat.com/support/errata/RHSA-2011-1334.html http://www.securityfocus.com/archive/1/519593/100/0/threaded http://www.securityfocus.com/bid/49536 http://www.springsource.com/security/cve-2011-2894 https://exchange.xforce.ibmcloud.com/vulnerabilities/69687 https://web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894 https://access.redhat.com/security/cve/CVE-2011-2894 • CWE-502: Deserialization of Untrusted Data •