Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreSpring Security Advisories
CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern
Description
Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
Affected Spring Products and Versions
Spring Security:
- 6.1.0 to 6.1.1
- 6.0.0 to 6.0.4
- 5.8.0 to 5.8.4
- 5.7.0 to 5.7.9
- 5.6.0 to 5.6.11
Mitigation
The following Spring Security versions contain fixes for this vulnerability:
- 6.1.2+
- 6.0.5+
- 5.8.5+
- 5.7.10+
- 5.6.12+
The above require Spring Framework versions:
- 6.0.11+
- 5.3.29+
- 5.2.25+
Credit
This vulnerability was disclosed responsibly by tkswifty and Ha1c9on.
Reporting a vulnerability
The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.
To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.
Get support
Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all