CVE-2023-38493

Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.

Published: Jul 25, 2023
Updated: May 9, 2024
CVE: CVE-2023-38493
GHSA: GHSA-wvp2-9ppw-337j
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
com.linecorp.armeria / armeria	-	1.24.3
linecorp / armeria	-	1.24.3

https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html
https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07
https://github.com/line/armeria/commit/49e04ef231ad65750739529c7fa4ce946ff7588b
https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j

Vulnerability Database

289,598

CVE-2023-38493