CVE-2023-38493 Information

Description

Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. Prior to version 1.24.3 the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.

Reference

https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07 https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html