Skip to main content

Improper Neutralization of Wildcards or Matching Symbols

CVE-2023-34034

Severity High
Score 9.8/10

Summary

In Spring Security configuration using "**" as a pattern for WebFlux, creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass. This vulnerability affects packages org.springframework.security:spring-security-config and org.springframework.security:spring-security-web in versions 5.0.0 through 5.6.11, 5.7.0 through 5.7.9, 5.8.0 through 5.8.4, 6.0.0 through 6.0.4, and 6.1.0 through 6.1.1.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-155 - Improper Neutralization of Wildcards or Matching Symbols

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.

Advisory Timeline

  • Published