GHSL-2021-1010: Authentication bypass in Alpine - CVE-2022-23554

Coordinated Disclosure Timeline

• 2021-09-24: Report sent to steve.springett AT owasp.org
• 2022-02-13: Issue fixed in 1.10.4

Summary

The AuthenticationFilter can be bypassed

Product

Alpine

Tested Version

1.10.2

Details

Issue: AuthenticationFilter bypass (GHSL-2021-1010)

The AuthenticationFilter relies on the request URI to evaluate if the user is accessing the swagger endpoint:

            if (request.getRequestUri().getPath().contains("/api/swagger")) {
                return;
            }

By accessing a URL with a path such as /api/foo;%2fapi%2fswagger the contains condition will hold and will return from the authentication filter without aborting the request. Note that the principal object will not be assigned and therefore the issue wont allow user impersonation.

Impact

The issue may lead to authentication bypass

CVE

• CVE-2022-23554

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1010 in any communication regarding this issue.