CVE-2023-34034

2023-07-1914:16:12

vmware

www.cve.org

cve-2023-34034

spring security configuration

webflux

pattern matching

security bypass

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

9.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.2%

JSON

Using “**” as a pattern in Spring Security configuration
for WebFlux creates a mismatch in pattern matching between Spring
Security and Spring WebFlux, and the potential for a security bypass.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Spring Security",
    "vendor": "n/a",
    "versions": [
      {
        "lessThanOrEqual": "6.1.1",
        "status": "affected",
        "version": "Spring Security 6.1.0",
        "versionType": " "
      },
      {
        "lessThanOrEqual": "6.0.4",
        "status": "affected",
        "version": "Spring Security 6.0.0 ",
        "versionType": " "
      },
      {
        "lessThanOrEqual": "5.8.4",
        "status": "affected",
        "version": "Spring Security 5.8.0",
        "versionType": " "
      },
      {
        "lessThanOrEqual": "5.7.9 ",
        "status": "affected",
        "version": "Spring Security 5.7.0   ",
        "versionType": " "
      },
      {
        "lessThanOrEqual": "5.6.11",
        "status": "affected",
        "version": "Spring Security 5.6.0",
        "versionType": " "
      }
    ]
  }
]