-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.springframework.security:spring-security-config | maven | >= 5.8.0, < 5.8.5 | 5.8.5 |
| org.springframework.security:spring-security-config | maven | >= 6.0.0, < 6.0.5 | 6.0.5 |
| org.springframework.security:spring-security-config | maven | >= 6.1.0, < 6.1.2 | 6.1.2 |
Miggo AIRoot Cause AnalysisThe vulnerability (CVE-2023-34035) describes a situation where Spring Security's authorization rules can be misconfigured if an application uses requestMatchers(String) (which refers to methods in AbstractRequestMatcherRegistry) and has multiple servlets, including Spring MVC's DispatcherServlet. The core issue is the ambiguity in determining whether a string pattern refers to a Spring MVC endpoint or an endpoint handled by another servlet.
The analysis of the provided commit df239b6448ccf138b0c95b5575a88f33ac35cd9a shows significant changes to the requestMatchers(HttpMethod method, String... patterns) method within org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry. The original logic simply checked for the presence of Spring MVC (mvcPresent) to decide whether to create MVC-specific matchers or generic Ant-style path matchers. This was insufficient when multiple servlets were registered, as a string pattern could be intended for a non-MVC servlet but be misinterpreted, or vice-versa.
The patch introduces more robust checks: it verifies if the application context is a WebApplicationContext, inspects ServletContext for servlet registrations, and specifically checks for the presence and uniqueness of DispatcherServlet using a new hasDispatcherServlet method. If ambiguity is detected (i.e., DispatcherServlet is present along with other servlets, and the number of servlet registrations is not one), an IllegalArgumentException is thrown, compelling the developer to use explicit matcher types like MvcRequestMatcher or AntPathRequestMatcher to avoid misconfiguration.
The requestMatchers(String... patterns) method, which calls requestMatchers(null, patterns), is also identified as vulnerable because it directly relies on the flawed logic of the patched method.
Therefore, these two methods in AbstractRequestMatcherRegistry are the vulnerable functions as their previous implementations led to the potential for authorization rule misconfiguration under the specified conditions. The other commits either demonstrate a fix in a sample application (4e3bec904a5467db28ea33e25ac9d90524b53d66) or update test infrastructure (bb46a5427005e33e637b15948de8adae244ce547), reinforcing the understanding of the vulnerability's context but not pointing to other vulnerable library functions.
JavaJavaKEV Misses 88% of Exploited CVEs- Get the report