GHSA-wvp2-9ppw-337j: Paths contain matrix variables bypass decorators

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-38493

Paths contain matrix variables bypass decorators

High severity GitHub Reviewed Published Jul 25, 2023 in line/armeria

Package

maven com.linecorp.armeria:armeria (Maven)

Affected versions

<= 1.24.2

Description

Impact

Spring supports Matrix variables.
When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path
that may contain matrix variables.
In this situation, the Armeria decorators might not invoked because of the matrix variables.
Let’s see the following example:

// Spring controller
@GetMapping("/important/resources")
public String important() {...}

// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);

If an attacker sends a request with /important;a=b/resources, the request would bypass the authrorizer

Patches

• https://github.com/line/armeria-ghsa-wvp2-9ppw-337j/commit/9b0ec3e099cc05fbff11d7f1012a1dddb0000d0c

Workarounds

Users can add decorators using regex. e.g. “regex:^/important.*”

References

• GHSA-wvp2-9ppw-337j
• line/armeria@49e04ef

Published to the GitHub Advisory Database

Jul 25, 2023