Vulnerability Description
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linecorp | Armeria | < 1.24.3 |
Related Weaknesses (CWE)
References
- https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-Product
- https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07Patch
- https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337jVendor Advisory
- https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-Product
- https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07Patch
- https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337jVendor Advisory
FAQ
What is CVE-2023-38493?
CVE-2023-38493 is a vulnerability with a CVSS score of 7.5 (HIGH). Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may con...
How severe is CVE-2023-38493?
CVE-2023-38493 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-38493?
Check the references section above for vendor advisories and patch information. Affected products include: Linecorp Armeria.