Vulnerability Description
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Security | < 5.5.7 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Netapp | Active Iq Unified Manager | - |
Related Weaknesses (CWE)
References
FAQ
What is CVE-2022-22978?
CVE-2022-22978 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications us...
How severe is CVE-2022-22978?
CVE-2022-22978 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-22978?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Security, Oracle Financial Services Crime And Compliance Management Studio, Netapp Active Iq Unified Manager.