Vulnerability Details : CVE-2023-34034
Using "**" as a pattern in Spring Security configuration
for WebFlux creates a mismatch in pattern matching between Spring
Security and Spring WebFlux, and the potential for a security bypass.
Products affected by CVE-2023-34034
- cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-34034
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-34034
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
3.9
|
5.2
|
VMware | |
9.8
|
CRITICAL | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2023-34034
-
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2023-34034
-
https://spring.io/security/cve-2023-34034
CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard PatternVendor Advisory
-
https://security.netapp.com/advisory/ntap-20230814-0008/
CVE-2023-34034 Spring Security Vulnerability in NetApp Products | NetApp Product Security
Jump to