CVE-2023-34034

CWE-281 CWE-284 — Improper Access Control CWE-1458 documents6 sources

Severity

9.8CRITICAL

EPSS

47.9%

top 2.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Security

Timeline

PublishedJul 19

Latest updateJul 15

Description

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶NVDvmware/spring_security5.6.0 — 5.6.12+4

▶Mavenorg.springframework.security:spring-security-config5.6.0 — 5.6.12+4

▶CVEListV5spring_securitySpring Security 6.1.0 — 6.1.1+4

🔴Vulnerability Details

CVEList

CVE-2023-34034: Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux↗2023-07-19

▶

GHSA

Access Control Bypass in Spring Security↗2023-07-19

▶

OSV

Access Control Bypass in Spring Security↗2023-07-19

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: WebCenter Sites (Spring Security) — CVE-2023-34034↗2024-07-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: PSR Designer (Spring Security) — CVE-2023-34034↗2024-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (Spring Security) — CVE-2023-34034↗2023-10-15

▶

Red Hat

spring-security-webflux: path wildcard leads to security bypass↗2023-07-19

▶