Security Bypass in Spring Security for WebFlux by Vendor Spring
CVE-2023-34034

9.8CRITICAL

Key Information:

Vendor: Vmware
Status: Spring Security
Vendor: CVE Published:; 19 July 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A mismatch in pattern matching between Spring Security and Spring WebFlux arises when using '**' as a pattern in the Spring Security configuration. This vulnerability could potentially allow for a security bypass, exposing applications to unauthorized access and other security risks. Developers and administrators are advised to review their configurations and apply the necessary mitigations as outlined by the vendor.

Affected Version(s)

Spring Security Spring Security 6.1.0 <= 6.1.1

Spring Security Spring Security 6.0.0 <= 6.0.4

Spring Security Spring Security 5.8.0 <= 5.8.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2023-34034
Created by hotblac

References

https://spring.io/security/cve-2023-34034

https://security.netapp.com/advisory/ntap-20230814-0008/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 2, 2023
👾
Exploit known to exist
Dec 2, 2023
Vulnerability published
Jul 19, 2023
Vulnerability Reserved
May 25, 2023