Cyber Resilience

CVE-2023-34034

Critical

Published: 19 July 2023

Published
19 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.4282 97.6th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-34034 is a critical-severity Improper Preservation of Permissions (CWE-281) vulnerability in Vmware Spring Security. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2023-34034 stems from a pattern-matching mismatch in Spring Security when the "**" wildcard is used in WebFlux configurations, allowing Spring Security rules to diverge from Spring WebFlux request handling and creating conditions for a security bypass. The affected component is Spring Security integrated with WebFlux, and the issue received a CVSS 9.1 rating reflecting network-accessible attack conditions without authentication requirements.

An unauthenticated remote attacker can supply crafted requests that evade intended access-control patterns, achieving unauthorized access that impacts confidentiality and integrity while leaving availability unaffected.

Spring and NetApp advisories reference the issue at the provided URLs and outline available updates or configuration changes for remediation.

The associated EPSS score reached a peak of 0.5102 after initial disclosure before receding to the current value of 0.4282.

EU & UK References

Vulnerability details

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
spring security
5.6.0 — 5.6.12 · 5.7.0 — 5.7.10 · 5.8.0 — 5.8.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-281

Forces removal or modification of permissions no longer required after reassignment, preventing improper preservation of old access rights.

References