GSD-2023-34034
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Using "**" as a pattern in Spring Security configuration
for WebFlux creates a mismatch in pattern matching between Spring
Security and Spring WebFlux, and the potential for a security bypass.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-34034",
"id": "GSD-2023-34034"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-34034"
],
"details": "Using \"**\" as a pattern in Spring Security configuration \nfor WebFlux creates a mismatch in pattern matching between Spring \nSecurity and Spring WebFlux, and the potential for a security bypass.\n\n",
"id": "GSD-2023-34034",
"modified": "2023-12-13T01:20:30.391538Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@vmware.com",
"ID": "CVE-2023-34034",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Security",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Spring Security 6.1.0",
"version_value": "6.1.1"
},
{
"version_affected": "\u003c=",
"version_name": "Spring Security 6.0.0 ",
"version_value": "6.0.4"
},
{
"version_affected": "\u003c=",
"version_name": "Spring Security 5.8.0",
"version_value": "5.8.4"
},
{
"version_affected": "\u003c=",
"version_name": "Spring Security 5.7.0 ",
"version_value": "5.7.9 "
},
{
"version_affected": "\u003c=",
"version_name": "Spring Security 5.6.0",
"version_value": "5.6.11"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Using \"**\" as a pattern in Spring Security configuration \nfor WebFlux creates a mismatch in pattern matching between Spring \nSecurity and Spring WebFlux, and the potential for a security bypass.\n\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "potential for a security bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://spring.io/security/cve-2023-34034",
"refsource": "MISC",
"url": "https://spring.io/security/cve-2023-34034"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230814-0008/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20230814-0008/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[5.6.0,5.6.12),[5.7.0,5.7.10),[5.8.0,5.8.5),[6.0.0,6.0.5),[6.1.0,6.1.2)",
"affected_versions": "All versions starting from 5.6.0 before 5.6.12, all versions starting from 5.7.0 before 5.7.10, all versions starting from 5.8.0 before 5.8.5, all versions starting from 6.0.0 before 6.0.5, all versions starting from 6.1.0 before 6.1.2",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-08-15",
"description": "Using \"**\" as a pattern in Spring Security configuration \nfor WebFlux creates a mismatch in pattern matching between Spring \nSecurity and Spring WebFlux, and the potential for a security bypass.\n\n",
"fixed_versions": [
"5.6.12",
"5.7.10",
"5.8.5",
"6.0.5",
"6.1.2"
],
"identifier": "CVE-2023-34034",
"identifiers": [
"GHSA-3h6f-g5f3-gc4w",
"CVE-2023-34034"
],
"not_impacted": "All versions before 5.6.0, all versions starting from 5.6.12 before 5.7.0, all versions starting from 5.7.10 before 5.8.0, all versions starting from 5.8.5 before 6.0.0, all versions starting from 6.0.5 before 6.1.0, all versions starting from 6.1.2",
"package_slug": "maven/org.springframework.security/spring-security-config",
"pubdate": "2023-07-19",
"solution": "Upgrade to versions 5.6.12, 5.7.10, 5.8.5, 6.0.5, 6.1.2 or above.",
"title": "Access Control Bypass in Spring Security",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-34034",
"https://spring.io/security/cve-2023-34034",
"https://ossindex.sonatype.org/vulnerability/CVE-2023-34034",
"https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-5777893",
"https://security.netapp.com/advisory/ntap-20230814-0008/",
"https://github.com/advisories/GHSA-3h6f-g5f3-gc4w"
],
"uuid": "edf628bb-26fc-48a0-8c86-1724d68ee04f"
},
{
"affected_range": "[5.6.0,5.6.12),[5.7.0,5.7.10),[5.8.0,5.8.5),[6.0.0,6.0.5),[6.1.0,6.1.2)",
"affected_versions": "All versions starting from 5.6.0 before 5.6.12, all versions starting from 5.7.0 before 5.7.10, all versions starting from 5.8.0 before 5.8.5, all versions starting from 6.0.0 before 6.0.5, all versions starting from 6.1.0 before 6.1.2",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-08-14",
"description": "Using \"**\" as a pattern in Spring Security configuration \nfor WebFlux creates a mismatch in pattern matching between Spring \nSecurity and Spring WebFlux, and the potential for a security bypass.",
"fixed_versions": [
"5.6.12",
"5.7.10",
"5.8.5",
"6.0.5",
"6.1.2"
],
"identifier": "CVE-2023-34034",
"identifiers": [
"CVE-2023-34034"
],
"not_impacted": "All versions before 5.6.0, all versions starting from 5.6.12 before 5.7.0, all versions starting from 5.7.10 before 5.8.0, all versions starting from 5.8.5 before 6.0.0, all versions starting from 6.0.5 before 6.1.0, all versions starting from 6.1.2",
"package_slug": "maven/org.springframework.security/spring-security-core",
"pubdate": "2023-07-19",
"solution": "Upgrade to versions 5.6.12, 5.7.10, 5.8.5, 6.0.5, 6.1.2 or above.",
"title": "Improper Handling of Inconsistent Structural Elements",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-34034",
"https://spring.io/security/cve-2023-34034"
],
"uuid": "bc914919-1074-4b66-91c6-58fea6460dec"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.0.5",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.8.5",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.6.12",
"versionStartIncluding": "5.6.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.7.10",
"versionStartIncluding": "5.7.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@vmware.com",
"ID": "CVE-2023-34034"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Using \"**\" as a pattern in Spring Security configuration \nfor WebFlux creates a mismatch in pattern matching between Spring \nSecurity and Spring WebFlux, and the potential for a security bypass.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://spring.io/security/cve-2023-34034",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://spring.io/security/cve-2023-34034"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230814-0008/",
"refsource": "MISC",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20230814-0008/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-08-14T19:15Z",
"publishedDate": "2023-07-19T15:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…