CVE-2023-34034
Published: 19 July 2023
Summary
CVE-2023-34034 is a critical-severity Improper Preservation of Permissions (CWE-281) vulnerability in Vmware Spring Security. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2023-34034 stems from a pattern-matching mismatch in Spring Security when the "**" wildcard is used in WebFlux configurations, allowing Spring Security rules to diverge from Spring WebFlux request handling and creating conditions for a security bypass. The affected component is Spring Security integrated with WebFlux, and the issue received a CVSS 9.1 rating reflecting network-accessible attack conditions without authentication requirements.
An unauthenticated remote attacker can supply crafted requests that evade intended access-control patterns, achieving unauthorized access that impacts confidentiality and integrity while leaving availability unaffected.
Spring and NetApp advisories reference the issue at the provided URLs and outline available updates or configuration changes for remediation.
The associated EPSS score reached a peak of 0.5102 after initial disclosure before receding to the current value of 0.4282.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1939
Vulnerability details
Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Forces removal or modification of permissions no longer required after reassignment, preventing improper preservation of old access rights.