In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.
Applications using RegexRequestMatcher with .
in the regular expression are possibly vulnerable to an authorization bypass.
References:
After server is started, browse to http://your-ip:8080/admin to see that access to the admin page is blocked.
Send the following request to access the admin page:
456 篇文章
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!