CVE-2023-38493: 
Java vulnerability analysis and mitigation

CVE-2023-38493 affects Armeria, a microservice framework that integrates with Spring, in versions prior to 1.24.3. The vulnerability was discovered and disclosed on July 25, 2023. The issue occurs when Spring integration is used, where Armeria calls Spring controllers via TomcatService or JettyService with paths containing matrix variables (Spring Matrix Variables, GitHub Advisory).

The vulnerability stems from Armeria's handling of matrix variables in URL paths. Matrix variables are name-value pairs in path segments, separated by semicolons. When a request containing matrix variables is processed, Armeria's decorators might not be invoked due to improper path handling. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The primary impact of this vulnerability is the potential bypass of security controls. For example, if an authorization decorator is configured for a path like '/important/', an attacker could bypass the authorization by sending a request with matrix variables (e.g., '/important;a=b/resources'). This could lead to unauthorized access to protected resources (GitHub Advisory).

The vulnerability has been patched in Armeria version 1.24.3. For users unable to upgrade immediately, a workaround is available by adding decorators using regex patterns (e.g., 'regex:^/important.*') instead of simple path matching. The patch involves removing matrix variables from the server-side path and restoring them when calling Spring controllers (GitHub Advisory, GitHub Commit).