Researchers have spotted a security flaw that has been found in Spring Security’s latest versions. The vulnerability tracked is a broken access control related, and as CVE-2023-34034, the flaw has a CVSS score of 9.8.
Spring Security is an integral part of the Java-based Spring Framework, catering to robust authentication and access control. With its broad user base, a security flaw within it could lead to devastating outcomes.
An investigation on the vulnerability, conducted by researchers and described the exact nature of the flaw, its potential victims, and a proof-of-concept illustrating the scenarios in which this flaw could be triggered for unauthorized access
The flaw centers around a filter bypass issue that can allow unauthorized users to gain access to sensitive areas of applications built on Spring WebFlux. This exploit can potentially compromise the security and integrity of the applications in question.
“Even though the given NVD Severity Score is Critical, this is only applicable to very specific cases detailed in our write-up and doesn’t affect all Spring applications by default. Applications utilizing the older ‘Spring MVC’ framework remain unaffected,”
For the vulnerability to apply, the targeted Spring WebFlux applications must use a vulnerable version of Spring Security for authentication and access control.
The vulnerability applies under the following conditions:
- The web application uses the Spring WebFlux framework (applications that use an older “Spring MVC” framework are not affected).
- The web application uses a vulnerable version of Spring Security. For example, 5.6.0.
- The web application uses URL path filtering for setting Spring Security access rules. The URL path pattern DOES NOT begin with a forward-slash character (
/). For example,
pathMatchers("admin/supershell"). This will affect a single page, in this example, the
Also, if the URL path contains the multiple-segments wildcard character (
**) this increases the vulnerability severity. For example,
pathMatchers("admin/**"). This will affect all pages under the URL path, in this example, everything under the
Upgrading your Spring Security version to one of the following is strongly advised:
The above requires the Spring Framework versions: