Описание
Paths contain matrix variables bypass decorators
Impact
Spring supports Matrix variables.
When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path
that may contain matrix variables.
In this situation, the Armeria decorators might not invoked because of the matrix variables.
Let's see the following example:
If an attacker sends a request with /important;a=b/resources, the request would bypass the authrorizer
Patches
Workarounds
Users can add decorators using regex. e.g. "regex:^/important.*"
Ссылки
- https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j
- https://nvd.nist.gov/vuln/detail/CVE-2023-38493
- https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07
- https://github.com/line/armeria/commit/49e04ef231ad65750739529c7fa4ce946ff7588b
- https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html
Пакеты
com.linecorp.armeria:armeria
<= 1.24.2
1.24.3
Связанные уязвимости
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.