CVE-2023-34035

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

5.3MEDIUM

EPSS

2.5%

top 14.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Security

Timeline

PublishedJul 18

Description

Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.) Specifically, an application is vulnerable when all of the following are true: * Spring MVC is on the classpath *…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages3 packages

▶NVDvmware/spring_security5.8.0 — 5.8.5+2

▶Mavenorg.springframework.security:spring-security-config5.8.0 — 5.8.5+2

▶CVEListV5spring_securitySpring Security 5.8.0 to 5.8.4, Spring Security 6.0.0 to 6.0.4, Spring Security 6.1.0 to 6.1.1

🔴Vulnerability Details

OSV

Spring Security's authorization rules can be misconfigured when using multiple servlets↗2023-07-18

▶

CVEList

CVE-2023-34035: Spring Security versions 5↗2023-07-18

▶

GHSA

Spring Security's authorization rules can be misconfigured when using multiple servlets↗2023-07-18

▶