{"id":"CVE-2022-22978","details":"In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.","aliases":["GHSA-hh32-7344-cg2f"],"modified":"2026-05-15T11:54:32.339498367Z","published":"2022-05-19T00:00:00Z","database_specific":{"cwe_ids":["CWE-863"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"last_affected":"Spring security versions 5.4.x prior to 5.4.11+,5.5.x prior to 5.5.7+,5.6.x prior to 5.6.4+ and all earlier unsupported versions"}]}],"cna_assigner":"vmware","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/22xxx/CVE-2022-22978.json"},"references":[{"type":"WEB","url":"https://spring.io/security/cve-2022-22978"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/22xxx/CVE-2022-22978.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22978"}],"schema_version":"1.7.5"}