Incorrect Comparison

CVE-2022-23554

Medium

5.4/10

Summary

Alpine is a scaffolding library in Java. In us.springett:alpine-server package versions prior to 3.0.0 allow Authentication Filter Bypass vulnerability. The "AuthenticationFilter" relies on the request URI to evaluate if the user is accessing the swagger endpoint. By accessing a URL with a path such as "/api/foo;%2fapi%2fswagger" the contained condition will hold and will return from the authentication filter without aborting the request. Note that the principal object will not be assigned and therefore the issue won't allow user impersonation.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-697 - Incorrect Comparison

The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

References

Advisory Timeline

Published Dec 28, 2022

Incorrect Comparison

CVE-2022-23554

Summary

CWE-697 - Incorrect Comparison

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS