CVE-2023-34034

Summary

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

Affected Software

VendorProductVersion RangeStatus
n/aSpring SecuritySpring Security 6.1.0 <= 6.1.1affected
n/aSpring SecuritySpring Security 6.0.0 <= 6.0.4affected
n/aSpring SecuritySpring Security 5.8.0 <= 5.8.4affected
n/aSpring SecuritySpring Security 5.7.0 <= 5.7.9affected
n/aSpring SecuritySpring Security 5.6.0 <= 5.6.11affected

Weaknesses

  • potential for a security bypass

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References