[High risk] Misconfiguration of Spring Security authentication rules

News 2023-07-30 11:00:23 views: null

 Vulnerability description

Spring Security is a security framework that provides declarative security protection for Spring-based applications.

In the affected version of Spring Security, since the authorization rules of Spring Security will be applied to the entire application context, when the application contains multiple servlets, and one of them is DispatcherServlet, use the requestMatchers(String) method to mistakenly assign non-Spring The MVC endpoint is added to the authorization rules, and the attacker can send requests to this endpoint, thereby bypassing the authorization rules to gain access.

Vulnerability name Spring Security authentication rule misconfiguration risk
Vulnerability type Improper allocation of key resource permissions
Discovery time 2023/7/18
Vulnerability Breadth -
MPS number MPS-l6z0-dktm
CVE number  CVE-2023-34035
CNVD number -


Sphere of influence

org.springframework.security:spring-security-config@[6.0.0, 6.0.5)

org.springframework.security:spring-security-config@[5.8.0, 5.8.5)

org.springframework.security:spring-security-config@[6.1.0, 6.1.2)

libspring-security-2.0-java@ affects all versions

Repair plan

Upgrade the component org.springframework.security:spring-security-config to version 6.0.5 and above

Change the non-Spring MVC endpoint pointed to by requestMatchers(String) to requestMatchers(new AntPathRequestMatcher("/endpoint"))

Upgrade the component org.springframework.security:spring-security-config to version 6.1.2 and above

reference link

https://www.oscs1024.com/hd/MPS-l6z0-dktm

https://nvd.nist.gov/vuln/detail/CVE-2023-34035

https://spring.io/security/cve-2023-34035

https://github.com/spring-projects/spring-security/commit/df239b6448ccf138b0c95b5575a88f33ac35cd9a

About Murphy Security 

Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.

Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj

The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.

Free code security detection tool:  https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj


Guess you like

Origin blog.csdn.net/murphysec/article/details/131919554
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com