GHSA-3h6f-g5f3-gc4w

Suggest an improvement
Source
https://github.com/advisories/GHSA-3h6f-g5f3-gc4w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-3h6f-g5f3-gc4w/GHSA-3h6f-g5f3-gc4w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3h6f-g5f3-gc4w
Aliases
Published
2023-07-19T15:30:26Z
Modified
2024-02-16T08:23:02.201553Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Access Control Bypass in Spring Security
Details

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

References

Affected packages

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.6.0
Fixed
5.6.12

Affected versions

5.*

5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.8
5.6.9
5.6.10
5.6.11

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.7.0
Fixed
5.7.10

Affected versions

5.*

5.7.0
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.9

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
5.8.5

Affected versions

5.*

5.8.0
5.8.1
5.8.2
5.8.3
5.8.4

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.2

Affected versions

6.*

6.1.0
6.1.1