CVE-2022-23554

CVSS V2 None CVSS V3 None
Description
Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows Authentication Filter bypass. The AuthenticationFilter relies on the request URI to evaluate if the user is accessing the swagger endpoint. By accessing a URL with a path such as /api/foo;%2fapi%2fswagger the contains condition will hold and will return from the authentication filter without aborting the request. Note that the principal object will not be assigned and therefore the issue wont allow user impersonation. This issue has been fixed in version 1.10.4. There are no known workarounds.
Overview
  • CVE ID
  • CVE-2022-23554
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-28T19:15:09
  • Last Modified Date
  • 2023-01-06T15:47:34
Weakness Enumerations
CWE URL
CWE-287 http://cwe.mitre.org/data/definitions/287.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:alpine_project:alpine:*:*:*:*:*:*:*:* 1 OR 1.10.4
References
Reference URL Reference Tags
https://github.com/stevespringett/Alpine/blob/f03dbda46229c26145a5f9f7f2660cc2c386be02/alpine/src/main/java/alpine/filters/AuthenticationFilter.java#L58-L60
https://github.com/stevespringett/Alpine/releases/tag/alpine-parent-1.10.4
https://securitylab.github.com/advisories/GHSL-2021-1010-Alpine/
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-23554
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23554
History
Created Old Value New Value Data Type Notes
2022-12-28 20:14:49 Added to TrackCVE
2022-12-28 20:14:50 Weakness Enumeration new
2023-01-05 02:15:01 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2023-01-06 16:20:20 2023-01-06T15:47:34 CVE Modified Date updated
2023-01-06 16:20:20 Undergoing Analysis Analyzed Vulnerability Status updated
2023-01-06 16:20:23 CPE Information updated