What is CVE-2022-22978?

CVE-2022-22978 is a vulnerability in Spring Security, classified under Incorrect Authorization. Published 2022-05-19.

Is CVE-2022-22978 known to be exploited?

79 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Spring Security

CVE-2022-22978

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the…

Vulnerability class: Broken Access Control

EPSS: 0.902 (99.6th percentile) — read the EPSS interpretation.

Affected products

N/a Spring Security — versions Spring security versions 5.4.x prior to 5.4.11+,5.5.x prior to 5.5.7+,5.6.x prior to 5.6.4+ and all earlier unsupported versions

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

Public proof-of-concept exploits

References

spring.io/security/cve-2022-22978

Frequently asked questions

What is CVE-2022-22978?: CVE-2022-22978 is a vulnerability in Spring Security, classified under Incorrect Authorization. Published 2022-05-19.
Is CVE-2022-22978 known to be exploited?: 79 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.