Article directory
0.Preface
Background: The company was notified of an authentication bypass vulnerability in Spring Security, identified as CVE-2023-34035
loopholes
High | July 17, 2023 | CVE-2023-34035
Notification about an authentication bypass vulnerability in Spring Security, which has been identified as CVE-2023-34035.
Vulnerability introduction
CVE-2023-34034: WebFlux uses unprefixed double wildcard pattern to bypass security
describe
Affected Spring products and versions
Spring Security 5.8.0 to 5.8.4
Spring Security 6.0.0 to 6.0.4
Spring Security 6.1.0 to 6.1.1
Users of affected versions should take the following mitigation measures.
first:
5.8.x should be upgraded to 5.8.5
6.0.x should be upgraded to 6.0.5
6.1.x should be upgraded to 6.1.2
1. Reference documents
-
CVE official website https://www.cve.org/CVERecord
-
https://spring.io/security/cve-2023-34035
-
https://nvd.nist.gov/vuln/detail/CVE-2023-34035
2.Basic introduction
2.1 Component Introduction:
Spring Security is a security framework that provides authentication, authorization, and other security features to protect web applications from attacks. Its main goal is to ensure that only authenticated and authorized users can access specific parts of the application or perform specific actions.
2.2 Vulnerability introduction:
Received notification of an authentication bypass vulnerability in Spring Security, identified as CVE-2023-34035,
Affected versions of Spring Security are vulnerable to misconfigured authorization rules if the application uses requestMatchers(String) and multiple Servlets, one of which is Spring MVC's DispatcherServlet.
(DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods of classes annotated with @Controller.)
Specifically, an application is vulnerable when the following conditions are met:
- Spring MVC is present on the classpath.
- Spring Security protects multiple Servlets (one of which is Spring MVC's DispatcherServlet) in a single application.
- Applications use requestMatchers(String) to reference non-Spring MVC endpoints.
An application is not vulnerable if any of the following conditions are true:
- The application does not bring in Spring MVC on the classpath.
- The application only protects Spring MVC's DispatcherServlet and no other Servlets.
- The application only uses requestMatchers(String) for Spring MVC endpoints.
- Affected versions:
- 5.8.0 ≤ Spring Security ≤ 5.8.4
- 6.0.0 ≤ Spring Security ≤ 6.0.4
- 6.1.0 ≤ Spring Security ≤ 6.1.1
3.Solution
3.1. Upgrade version
The following Spring Security versions fix this vulnerability:
Spring Security 5.8.0至5.8.4
Spring Security 6.0.0至6.0.4
Spring Security 6.1.0至6.1.1
The above version requires the following Spring Framework versions:
5.8.x应升级到5.8.5
6.0.x应升级到6.0.5
6.1.x应升级到6.1.2
Spring recommends the following two-step mitigation:
Step 1: Upgrade to the latest version of Spring Security (6.1.2/6.0.5/5.8.5). Link: https://spring.io/projects/spring-security
Step 2: If you are using multiple Servlets, one of which is Spring MVC's DispatcherServlet, you may see the following error message when starting:
This method cannot decide whether these patterns are Spring MVC patterns or not.
If this endpoint is a Spring MVC endpoint,
please use requestMatchers(MvcRequestMatcher);
otherwise, please use requestMatchers(AntPathRequestMatcher).
Please follow this error message.
For example, if using requestMatchers(String)points to a non-Spring MVC endpoint, change it to requestMatchers(new AntPathRequestMatcher("/endpoint")).
If you are using requestMatchers(String) to point to a Spring MVC endpoint/mvc-endpoint, then change it to requestMatchers(new MvcRequestMatcher(introspector, "/mvc-endpoint"))where the introspector is an @Autowired one HandlerMappingIntrospector.