Fluid Attacks Database

Description

Access Control Bypass in Spring Security Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework.security:spring-security-core	>=5.6.0 <5.6.12 \|\| >=5.7.0 <5.7.10 \|\| >=5.8.0 <5.8.5 \|\| >=6.0.0 <6.0.5 \|\| >=6.1.0 <6.1.2	5.6.12, 5.7.10, 5.8.5, 6.0.5, 6.1.2
maven	org.springframework.security:spring-security-config	>=5.6.0 <5.6.12 \|\| >=5.7.0 <5.7.10 \|\| >=5.8.0 <5.8.5 \|\| >=6.0.0 <6.0.5 \|\| >=6.1.0 <6.1.2	5.6.12, 5.7.10, 5.8.5, 6.0.5, 6.1.2

Aliases

1. CVE-2023-340342. NVD-2023-340343. OSV-2023-340344. GCVE-2023-340345. SPRING-cve-2023-34034

References

1. https://github.com/hotblac/cve-2023-340342. https://security.netapp.com/advisory/ntap-20230814-00083. https://spring.io/security/cve-2023-34034

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.