Spring Security CVE-2022-22978 - Nineya|java/go/python

How to solve CVE-2022-22978 on version 4.x ?

Comment From: d-krey

same question for spring-boot-starter-security-2.7.0.jar

thanks.

Comment From: rwinch

Sorry, but Spring Security 4.x reached EOL in 2020 and is no longer supported. the simplest way to ensure you are not impacted is to avoid RegexRequestMatcher. If you must use it, then you can attempt to patch it yourself by looking in the commit history of RegexReqeustMatcher.

Comment From: taures-gmbh

We also have problems with spring-boot-starter-security-2.7.0 and CVE-2022-22978. Is there a plan on when this will be fixed? It feels kind of wrong to exclude the CVE from our OWASP dependency check not knowing where RegexRequestMatcher might be used e.g. by spring internally... Thanks

Comment From: jzheaux

I believe this is because the tool is supposing that minor releases that come after the fix are not also fixed. 5.7.0 is not vulnerable either. It was released after 5.6.4 and thus inherits all the bug fixes, which is the meaning of "only versions < 5.6.4 are vulnerable".

If you take a look at the original report, the mitigation section indicates that updating to 5.7 or later successfully mitigates the issue.