CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern

HIGH | JULY 18, 2023 | CVE-2023-34034

Description

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

Affected Spring Products and Versions

Spring Security:

  • 6.1.0 to 6.1.1
  • 6.0.0 to 6.0.4
  • 5.8.0 to 5.8.4
  • 5.7.0 to 5.7.9
  • 5.6.0 to 5.6.11

Mitigation

The following Spring Security versions contain fixes for this vulnerability:

  • 6.1.2+
  • 6.0.5+
  • 5.8.5+
  • 5.7.10+
  • 5.6.12+

The above require Spring Framework versions:

  • 6.0.11+
  • 5.3.29+
  • 5.2.25+

Credit

This vulnerability was disclosed responsibly by tkswifty and Ha1c9on.

References

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all