GHSA-3h6f-g5f3-gc4w

Source

https://github.com/advisories/GHSA-3h6f-g5f3-gc4w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-3h6f-g5f3-gc4w/GHSA-3h6f-g5f3-gc4w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3h6f-g5f3-gc4w

Aliases

CVE-2023-34034

Published

2023-07-19T15:30:26Z

Modified

2024-10-28T19:33:10.794744Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Access Control Bypass in Spring Security

Details

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

Database specific

{
    "nvd_published_at": "2023-07-19T15:15:11Z",
    "cwe_ids": [
        "CWE-281",
        "CWE-284"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T21:19:15Z"
}

References

Affected packages

Maven / org.springframework.security:spring-security-config

Package

Name: org.springframework.security:spring-security-config; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.6.0

Fixed

5.6.12

Affected versions

5.*

5.6.0

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.8

5.6.9

5.6.10

5.6.11

Maven / org.springframework.security:spring-security-config

Package

Name: org.springframework.security:spring-security-config; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.7.0

Fixed

5.7.10

Affected versions

5.*

5.7.0

5.7.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.9

Maven / org.springframework.security:spring-security-config

Package

Name: org.springframework.security:spring-security-config; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.8.0

Fixed

5.8.5

Affected versions

5.*

5.8.0

5.8.1

5.8.2

5.8.3

5.8.4

Maven / org.springframework.security:spring-security-config

Package

Name: org.springframework.security:spring-security-config; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.5

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

Maven / org.springframework.security:spring-security-config

Package

Name: org.springframework.security:spring-security-config; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.2

Affected versions

6.*

6.1.0

6.1.1