CVE-2023-34034
published 2023-07-19CVE-2023-34034: Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Using "**" as a pattern in Spring Security configuration
for WebFlux creates a mismatch in pattern matching between Spring
Security and Spring WebFlux, and the potential for a security bypass.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | spring_security | >= 5.6.0 < 5.6.12 | 5.6.12 |
| vmware | spring_security | >= 5.7.0 < 5.7.10 | 5.7.10 |
| vmware | spring_security | >= 5.8.0 < 5.8.5 | 5.8.5 |
| vmware | spring_security | >= 6.0.0 < 6.0.5 | 6.0.5 |
| vmware | spring_security | >= 6.1.0 < 6.1.2 | 6.1.2 |
| vmware | spring_security | Spring Security 5.6.0 – 5.6.11 | — |
| vmware | spring_security | Spring Security 5.7.0 – 5.7.9 | — |
| vmware | spring_security | Spring Security 5.8.0 – 5.8.4 | — |
| vmware | spring_security | Spring Security 6.0.0 – 6.0.4 | — |
| vmware | spring_security | Spring Security 6.1.0 – 6.1.1 | — |