Tackling the OAuth2 Client component model in Spring Security

In Spring Security 5, we saw many developments in the OAuth2 story with the introduction of OAuth2 Resource Server and OAuth2 Client into the framework. Today, it is quite convenient to develop applications that are secured by OAuth2 using the features available in OAuth2 Resource Server...

This Week in Spring - August 1st, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! Can you believe it's already August 1, 2023??? Me either. As I write this, I'm preparing some of my contributions for SpringOne at VMWare Explore 2023, happening next month in lovely Las Vegas, NV. Have you registered yet? I'...

CVE-2023-20862

A flaw was found in Spring Security. In affected versions of Spring Security, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. Th...

Security Bulletin: VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 and CVE-2023-20862 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses VMware Tanzu Spring Security which is vulnerable to CVE-2022-31692 and CVE-2023-20862. Vulnerability Details CVEID:CVE-2022-31692 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions,...

Improper Access Control

org.springframework.security:spring-security-config is vulnerable to Improper Access Control. The vulnerability exists due to lack of checks in multiple files, which allows an attacker to use as a pattern in the configurations for WebFlux, creating a mismatch in pattern matching, resulting in a...

Authorization Rule Misconfiguration

spring-security-config is vulnerable to Authorization Rule Misconfiguration. The vulnerability exists due to the lack of validation in the RequestMatcher of AbstractRequestMatcherRegistry.java when the application uses the requestMatchersString function with multiple servlets, one of them being...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Security (CVE-2023-20862)

Summary A vulnerability in VMware Tanzu Spring Security used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2023-20862 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by the logout support feature...

cc.vihackerframework:vihacker-security-starter (=1.0.8.R), city.smartb.fs:f2-spring-boot-starter-auth-tenant (>=0.15.0 <=0.15.0-RC2) +399 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=6.0.0 <=6.0.4)

org.springframework.security:spring-security-config MAVEN version =6.0.0, =0.15.0, =0.12.0, =0.12.0, =0.15.0, =0.12.0, =0.13.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =2023.0.0.2-alpha.1, =2023.0.0.0, =2023.0.0.1, =2023.0.0.2-alpha.2 and more Source cves: CVE-2023-34034 Source advisory...

GHSA-3H6F-G5F3-GC4W Access Control Bypass in Spring Security

Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...

cc.chensoul.nacos:nacos-distribution (=2.5.2), com.buession.security:buession-security-spring (>=3.0.0 <=3.0.1) +262 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=5.8.0 <=5.8.4)

org.springframework.security:spring-security-config MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =5.12.0, =5.12.0, =1.48.0, =1.48.0, =1.48.0, =4.5.0, =4.5.0, =4.5.0, =6.5.0, =4.5.0, =4.5.1 and more Source cves: CVE-2023-34034 Source advisory: OSV:GHSA-3H6F-G5F3-GC4W...

cn.guomw.cloud:framework-cloud-starter-auth (=1.1.0.RELEASE), cn.herodotus.engine:oauth2-sdk-authorization (>=2.7.0.0 <=2.7.0.60) +259 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=5.7.0 <=5.7.1)

org.springframework.security:spring-security-config MAVEN version =5.7.0, =2.7.0.0, =2.7.0.0, =2.7.0.0, =4.2.0, =4.2.0, =4.2.0, =4.2.0, =4.2.0, =4.2.0, =4.4.7 and more Source cves: CVE-2023-34034 Source advisory: OSV:GHSA-3H6F-G5F3-...

Access Control Bypass in Spring Security

Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.2 <=4.6.0.0), ai.ylyue:yue-library-auth-client (=j11.2.6.0) +828 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=5.6.0 <=5.6.10)

org.springframework.security:spring-security-config MAVEN version =5.6.0, =4.4.0.2, =0.2.0, =2.1.0.M8, =2.7.0.Beta1, =2.7.0.Beta1, =2.7.0.Beta1, =2.7.0.Beta1, =0.0.1, =0.0.6 - com.atlassian.connect:atlassian-connect-spring-boot-api =2.2.7 - com.atlassian.connect:atlassian-connect-spring-boot-core...

br.com.nitertech:jwt (>=1.1.4.2 <=1.1.5), cn.herodotus.engine:oauth2-sdk-authentication (>=3.0.6.4 <=3.1.1.3) +314 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=6.1.0 <=6.1.1)

org.springframework.security:spring-security-config MAVEN version =6.1.0, =1.1.4.2, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =4.0.1, =4.0.1, =0.1.0, =6.1.11, =6.1.11, =7.0.0, =7.0.0, =6.1.11, =6.1.11, =6.2.0 and more Source cves: CVE-2023-34034 Source advisory: OSV:GHSA-3H6F-G5F3-GC4W...

CVE-2023-34034

Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...

CVE-2023-34034

Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...

CVE-2023-34034

Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...

Security feature bypass

Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...

CVE-2023-34034

CVE-2023-34034 is documented in IBM security bulletins as affecting VMware Tanzu Spring Security when using "**" as a pattern in WebFlux configuration, causing a pattern-matching bypass. The IBM bulletin assigns a CVSS v3.0 base score of 9.1 (Impact: Confidentiality High, Integrity High, Availabi...

CVE-2023-34034

Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...