GHSA-wvp2-9ppw-337j

Suggest an improvement
Source
https://github.com/advisories/GHSA-wvp2-9ppw-337j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-wvp2-9ppw-337j/GHSA-wvp2-9ppw-337j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wvp2-9ppw-337j
Aliases
Published
2023-07-25T18:24:39Z
Modified
2024-02-16T07:44:04.223159Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Paths contain matrix variables bypass decorators
Details

Impact

Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. In this situation, the Armeria decorators might not invoked because of the matrix variables. Let's see the following example:

// Spring controller
@GetMapping("/important/resources")
public String important() {...}

// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);

If an attacker sends a request with /important;a=b/resources, the request would bypass the authrorizer

Patches

  • https://github.com/line/armeria-ghsa-wvp2-9ppw-337j/commit/9b0ec3e099cc05fbff11d7f1012a1dddb0000d0c

Workarounds

Users can add decorators using regex. e.g. "regex:^/important.*"

Database specific 
{
    "nvd_published_at": "2023-07-25T21:15:10Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T18:24:39Z"
}
References

Affected packages

Maven / com.linecorp.armeria:armeria

Package

Name
com.linecorp.armeria:armeria
View open source insights on deps.dev
Purl
pkg:maven/com.linecorp.armeria/armeria

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.24.3

Affected versions

0.*

0.4.0.Final
0.5.0.Final
0.5.1.Final
0.6.0.Final
0.6.1.Final
0.6.2.Final
0.6.3.Final
0.6.4.Final
0.7.0.Final
0.8.0.Final
0.9.0.Final
0.10.0.Final
0.11.0.Final
0.12.0.Final
0.12.1.Final
0.12.2.Final
0.13.0.Final
0.13.1.Final
0.13.2.Final
0.13.3.Final
0.13.4.Final
0.14.0.Final
0.15.0.Final
0.16.0.Final
0.16.1.Final
0.17.0.Final
0.18.0.Final
0.19.0.Final
0.20.0.Final
0.20.1.Final
0.20.2.Final
0.20.3.Final
0.21.0.Final
0.21.1.Final
0.21.2.Final
0.21.3.Final
0.21.4.Final
0.21.5.Final
0.21.6.Final
0.22.0.Final
0.23.0.Final
0.23.1.Final
0.24.0.Final
0.24.1.Final
0.25.0.Final
0.26.0.Final
0.26.1.Final
0.27.0.Final
0.28.0.Final
0.29.0.Final
0.29.1.Final
0.30.0.Final
0.31.0.Final
0.31.1.Final
0.32.0
0.33.0
0.33.1
0.34.0
0.34.1
0.35.0
0.35.1
0.35.2
0.36.0
0.37.0
0.38.0
0.39.0
0.40.0
0.41.0
0.42.0
0.43.0
0.44.0
0.45.0
0.46.0
0.46.1
0.46.2
0.46.3
0.46.4
0.47.0
0.48.0
0.49.0
0.50.0
0.51.0
0.52.0
0.52.1
0.53.0
0.53.1
0.53.2
0.54.0
0.54.1
0.54.2
0.55.0
0.55.1
0.56.0
0.56.1
0.57.0
0.58.0
0.58.1
0.59.0
0.59.1
0.59.2
0.60.0
0.61.0
0.62.0
0.63.0
0.63.1
0.64.0
0.65.0
0.65.1
0.66.0
0.67.0
0.67.1
0.67.2
0.68.0
0.68.1
0.68.2
0.69.0
0.70.0
0.70.1
0.71.0
0.71.1
0.72.0
0.73.0
0.74.0
0.74.1
0.75.0
0.76.0
0.76.1
0.76.2
0.77.0
0.78.0
0.78.1
0.78.2
0.79.0
0.80.0
0.81.0
0.81.1
0.82.0
0.83.0
0.84.0
0.85.0
0.86.0
0.87.0
0.88.0
0.89.0
0.89.1
0.90.0
0.90.1
0.90.2
0.90.3
0.91.0
0.92.0
0.93.0
0.94.0
0.95.0
0.96.0
0.97.0
0.98.0
0.98.1
0.98.2
0.98.3
0.98.4
0.98.5
0.98.6
0.98.7
0.99.0
0.99.1
0.99.2
0.99.3
0.99.4
0.99.5
0.99.6
0.99.7
0.99.8
0.99.9

1.*

1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.7.2
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.12.0
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.14.0
1.14.1
1.15.0
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.17.1
1.17.2
1.18.0
1.19.0
1.20.0
1.20.1
1.20.2
1.20.3
1.21.0
1.22.0
1.22.1
1.23.0
1.23.1
1.24.0
1.24.1
1.24.2

Database specific 

{
    "last_known_affected_version_range": "<= 1.24.2"
}