aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/spring/CVE-2022-22978/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

860 B
Raw Permalink Blame History

Spring Security RegexRequestMatcher 认证绕过漏洞CVE-2022-22978

Spring Security用于在Spring框架中提供安全认证功能。在Spring Security 5.5.6、5.6.3及更早的不受支持版本中,使用带有.的正则表达式的RegexRequestMatcher的应用程序可能存在认证绕过漏洞。

参考链接:

漏洞环境

执行如下命令启动一个基于Spring Security 5.6.3的Web应用

docker compose up -d

服务器启动后,访问http://your-ip:8080/admin,可以看到管理页面的访问被阻止。

漏洞复现

发送以下请求来访问管理页面,成功绕过认证: