CVE-2022-22978 - Authorization Bypass
Severity: Low2022-09-28
Abstract
In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v5.0 and older versions | Low | Oxygen Content Fusion 5.0 build 2022092005 |
Oxygen Feedback 2.1 and older | Low | Oxygen Feedback 2.1 build 2022071516 |
Detail
CVE-2022-22978
Severity: Critical
CVSS Score: 9.8
The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-22978 vulnerability description. However, Oxygen XML products do not invoke the RegexRequestMatcher method. For that reason, we have rated the severity level for our products as low.