Description

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

Affected Spring Products and Versions

Spring Security:

• 6.1.0 to 6.1.1
• 6.0.0 to 6.0.4
• 5.8.0 to 5.8.4
• 5.7.0 to 5.7.9
• 5.6.0 to 5.6.11

Mitigation

The following Spring Security versions contain fixes for this vulnerability:

• 6.1.2+
• 6.0.5+
• 5.8.5+
• 5.7.10+
• 5.6.12+

The above require Spring Framework versions:

• 6.0.11+
• 5.3.29+
• 5.2.25+

Credit

This vulnerability was disclosed responsibly by tkswifty and Ha1c9on.

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:N&version=3.1