9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34034

CVE-2023-34034: Access Control Bypass in Spring Security

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-34034

CVE-2023-34034:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework.security:spring-security-config	maven	>= 5.6.0, < 5.6.12	5.6.12
org.springframework.security:spring-security-config	maven	>= 5.7.0, < 5.7.10	5.7.10
org.springframework.security:spring-security-config	maven	>= 5.8.0, < 5.8.5	5.8.5
org.springframework.security:spring-security-config	maven	>= 6.0.0, < 6.0.5	6.0.5
org.springframework.security:spring-security-config	maven	>= 6.1.0, < 6.1.2	6.1.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The JFrog blog post provides a detailed analysis of the vulnerability and the fix. It explicitly mentions the PathPatternParserServerWebExchangeMatcher.java file and the parse() method as the location of the vulnerability. The explanation of how the initFullPathPattern() method was introduced in the fix to correctly handle patterns confirms that the original parse() method was the source of the issue. Although direct commit information was not available through the tool, the blog post's analysis of the commit is sufficiently detailed to identify the vulnerable function with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-34034: Access Control Bypass in Spring Security

CVE-2023-34034:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

9.1

9.1

CVE-2023-34034: Access Control Bypass in Spring Security

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI