7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38493

GHSA ID

GHSA-wvp2-9ppw-337j

EPSS Score

0.38915%

CWE

CWE-863

Published

7/25/2023

Updated

11/5/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-38493

CVE-2023-38493: Paths contain matrix variables bypass decorators

Impact

Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. In this situation, the Armeria decorators might not invoked because of the matrix variables. Let's see the following example:

// Spring controller
@GetMapping("/important/resources")
public String important() {...}

// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);

If an attacker sends a request with /important;a=b/resources, the request would bypass the authrorizer

Patches

https://github.com/line/armeria-ghsa-wvp2-9ppw-337j/commit/9b0ec3e099cc05fbff11d7f1012a1dddb0000d0c

Workarounds

Users can add decorators using regex. e.g. "regex:^/important.*"

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38493

GHSA ID

GHSA-wvp2-9ppw-337j

EPSS Score

0.38915%

CWE

CWE-863

Published

7/25/2023

Updated

11/5/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.linecorp.armeria:armeria	maven	<= 1.24.2	1.24.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how matrix variables were handled in request paths. The key functions are DefaultRequestTarget.forServer (which processes incoming paths) and RequestTarget.path (which returns the path for matching). Before the patch, these functions did not strip matrix variables from the path used for decorator matching. The commit adds matrix variable removal logic in DefaultRequestTarget and introduces RequestTarget.maybePathWithMatrixVariables to handle Spring's requirements, while ensuring decorators see the normalized path. The vulnerable versions lacked this sanitization, allowing path-based decorators to be bypassed via matrix variable injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Sprin* supports [M*trix v*ri**l*s](*ttps://*o*s.sprin*.io/sprin*-*r*m*work/r***r*n**/w**/w**mv*/mv*-*ontroll*r/*nn-m*t*o*s/m*trix-v*ri**l*s.*tml). W**n Sprin* int**r*tion is us**, *rm*ri* **lls Sprin* *ontroll*rs vi* `Tom**tS*rvi**` or `J*

Reasoning

T** vuln*r**ility st*ms *rom *ow m*trix v*ri**l*s w*r* **n*l** in r*qu*st p*t*s. T** k*y *un*tions *r* `****ultR*qu*stT*r**t.*orS*rv*r` (w*i** pro**ss*s in*omin* p*t*s) *n* `R*qu*stT*r**t.p*t*` (w*i** r*turns t** p*t* *or m*t**in*). ***or* t** p*t**,

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-38493: Paths contain matrix variables bypass decorators

Impact

Patches

Workarounds

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI