CVE-2022-22978

This repository demonstrates CVE-2022-22978, an authentication bypass vulnerability in Spring Security due to improper handling of newline characters in RegexRequestMatcher. The PoC includes a Spring Boot application with a vulnerable configuration and a test case to verify the bypass.

This repository contains a functional PoC for CVE-2022-22978, demonstrating an authorization bypass in Spring Security's RegexRequestMatcher due to improper handling of newline characters in regex patterns.

This repository demonstrates an authentication bypass vulnerability in Spring Security (CVE-2022-22978) by exploiting path normalization issues. The PoC includes a Spring Boot application with endpoints that can be accessed using newline characters (%0a or %0d) to bypass security restrictions.

This repository contains a functional PoC for CVE-2022-22978, demonstrating an authorization bypass in Spring Security's RegexRequestMatcher. The exploit leverages newline characters (%0a, %0d) to bypass regex-based path authentication.

This repository demonstrates an authentication bypass vulnerability in Spring Security 5.6.3 via a regex mismatch in path matching. The exploit uses a newline character (%0a) to bypass authentication requirements for endpoints under '/vulnerable/'.

This repository documents CVE-2022-22978, an authorization bypass vulnerability in Spring Security due to improper handling of newline characters in RegexRequestMatcher. The writeup includes steps to reproduce the issue using encoded newline characters (%0a, %0d) to bypass access controls.

This repository demonstrates CVE-2022-22978, a Spring Security bypass vulnerability. It includes a Spring Boot application with configured security rules using regexMatchers, which can be bypassed under specific conditions.

This repository contains a working proof-of-concept for CVE-2022-22978, an authorization bypass vulnerability in Spring Security's RegexRequestMatcher. The exploit demonstrates how attackers can bypass authentication by injecting newline characters (%0a or %0d) into URLs.