Possible Spring Security Authorization Bypass - CVE-2022-22978.yml

title: Possible Spring Security Authorization Bypass CVE-2022-22978
status: produção
author: A.W. Networksecure Segurança da Informação LTDA.
date: 2023/09/25
modified: 2023/09/28
description: This rule trigger when in URI there is URL encode of \r(%0a) or \n(%0d) for authorization bypass
references:
  - https://github.com/ducluongtran9121/CVE-2022-22978-PoC
  - https://www.tenable.com/plugins/nessus/170668
tags:
  - attack.authorization
  - attack.M0800
logsource:
  category: 
    - UTM
    - alert
  product:
    - waf
    - IPS
    - IDS
detection:
  selection:
    httpMethod: GET
    url:
      - '/admin/%0a'
      - '/admin/%0d'
      - '/login/%0a'
      - '/login/%0d'
      - '/administrator/%0a'
      - '/administrator/%0d'
      - '/adminapi/%0a'
      - '/adminapi/%0d'
    condition: AND, OR
fields:
  - url 
  - httpMethod
level: medium