Improper Neutralization of Wildcards or Matching Symbols
CVE-2023-34034
Summary
In Spring Security configuration using "**" as a pattern for WebFlux, creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass. This vulnerability affects packages org.springframework.security:spring-security-config and org.springframework.security:spring-security-web in versions 5.0.0 through 5.6.11, 5.7.0 through 5.7.9, 5.8.0 through 5.8.4, 6.0.0 through 6.0.4, and 6.1.0 through 6.1.1.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-155 - Improper Neutralization of Wildcards or Matching Symbols
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.
References
Advisory Timeline
- Published