Skip to main content

The CERT Oracle Secure Coding Standard for Java (2011) Chapter 10 - Locking (LCK)

CVE-2023-34035

Severity Medium
Score 5.3/10

Summary

Spring Security in versions 5.8.0-RC1 through 5.8.4, 6.0.0-RC1 through 6.0.4, and 6.1.0-M1 through 6.1.1 could be susceptible to authorization rule misconfiguration if the application uses "requestMatchers(String)" and multiple servlets, one of them being Spring MVC’s "DispatcherServlet". (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on "@Controller-annotated classes".) Specifically, an application is vulnerable when all of the following are true: 1) Spring MVC is on the classpath. 2) Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s "DispatcherServlet"). 3) The application uses "requestMatchers(String)" to refer to endpoints that are not Spring MVC endpoints. An application is not vulnerable if any of the following is true: 1) The application does not have Spring MVC on the classpath. 2) The application secures no servlets other than Spring MVC’s "DispatcherServlet". 3) The application uses "requestMatchers(String)" only for Spring MVC endpoints.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-853 - The CERT Oracle Secure Coding Standard for Java (2011) Chapter 10 - Locking (LCK)

Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Advisory Timeline

  • Published