Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-38493

Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.

Published

2023-07-25T21:15:10.913

Last Modified

2024-11-21T08:13:41.243

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-863
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	linecorp	armeria	< 1.24.3	Yes

References

https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html Product ([email protected])
https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07 Patch ([email protected])
https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j Vendor Advisory ([email protected])
https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)