Beware of Pattern Matching Issues in Spring Security WebFlux Configurations

CVSScvssV3_1: 9.1

The popular Java web framework Spring is affected by a vulnerability that could allow attackers to bypass authentication and authorization checks.

Specifically, the way pattern matching is configured in Spring Security for Spring WebFlux applications can cause issues. When double asterisks “**” are used as a pattern match, it creates a mismatch between how Spring Security and Spring WebFlux handle pattern matching.

This could allow an attacker to craft requests in a way that is matched by one system but not the other, bypassing the intended access controls. They may then be able to access restricted routes or resources without proper authentication.

The current CVSS score for this issue (CVE-2023-34034) is 9.1, making it a very critical vulnerability. Web applications using Spring Security with WebFlux that have double asterisk patterns in their configuration are affected.

If you use Spring Security in a WebFlux application, you should carefully review your configuration and remove any uses of “**” as a pattern match. You may also want to check for requests your application did not expect and verify access controls cannot be bypassed. Keeping Spring frameworks up to date will also help apply any fixes.

Taking steps to remove vulnerable patterns and monitor for unexpected behavior can help protect your Spring-powered application and its users from attacks targeting this authorization bypass issue.