CVE-2023-34034
CVE-2023-34034
9.1
CriticalPublished:
Last updated:
Source:security@vmware.com
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- None
Description
Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
Comprehensive Technical Analysis of CVE-2023-34034
CVE ID: CVE-2023-34034 CVSS Score: 9.1 (Critical) Affected Component: Spring Security (WebFlux) Vulnerability Type: Security Bypass via Pattern Mismatch
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
CVE-2023-34034 is a critical security misconfiguration vulnerability in Spring Security when used with Spring WebFlux, a reactive-stack web framework. The issue arises from the use of the ** (double asterisk) wildcard pattern in security configurations, leading to a mismatch in path-matching logic between Spring Security and Spring WebFlux.
Root Cause
- Spring Security and Spring WebFlux employ different path-matching algorithms:
- Spring Security (traditional MVC) uses Ant-style path matching, where
**matches zero or more path segments. - Spring WebFlux (reactive) uses PathPatternParser, which interprets
**differently, potentially leading to inconsistent security enforcement.
- Spring Security (traditional MVC) uses Ant-style path matching, where
- When a security rule is defined with
**(e.g.,/admin/**), Spring Security may incorrectly authorize requests that WebFlux would otherwise block, creating a security bypass.
Severity Justification (CVSS 9.1)
| CVSS Metric | Score | Rationale |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over HTTP/HTTPS. |
| Attack Complexity (AC) | Low (L) | No special conditions required; standard HTTP requests suffice. |
| Privileges Required (PR) | None (N) | No authentication needed. |
| User Interaction (UI) | None (N) | No user interaction required. |
| Scope (S) | Changed (C) | Affects Spring Security’s authorization logic, potentially exposing backend systems. |
| Confidentiality (C) | High (H) | Unauthorized access to sensitive endpoints. |
| Integrity (I) | High (H) | Attackers may modify or delete data. |
| Availability (A) | None (N) | No direct impact on system availability. |
Resulting CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N (9.1 Critical)
2. Potential Attack Vectors & Exploitation Methods
Exploitation Scenario
An attacker can exploit this vulnerability by:
- Identifying Misconfigured Endpoints:
- Scanning for applications using Spring Security with WebFlux and
**patterns (e.g.,/api/**,/admin/**).
- Scanning for applications using Spring Security with WebFlux and
- Crafting Malicious Requests:
- Sending HTTP requests to bypass intended security restrictions by leveraging the path-matching inconsistency.
- Example:
- If
/admin/**is protected but/admin/../secretis not, an attacker may access/secretby manipulating the path.
- If
- Gaining Unauthorized Access:
- Accessing sensitive APIs, administrative functions, or data that should be restricted.
Proof-of-Concept (PoC) Exploitation
A simple PoC could involve:
GET /admin/../protected/resource HTTP/1.1
Host: vulnerable-app.com
- If Spring Security incorrectly allows this due to
**pattern matching, while WebFlux would block it, the request succeeds.
Real-World Impact
- Unauthorized Data Exposure: Attackers may access confidential data (e.g., PII, financial records).
- Privilege Escalation: Bypassing authentication/authorization to perform admin actions.
- API Abuse: Exploiting misconfigured REST APIs to manipulate backend systems.
3. Affected Systems & Software Versions
Vulnerable Components
- Spring Security (when used with Spring WebFlux)
- Spring Boot applications leveraging reactive security configurations
Affected Versions
| Component | Vulnerable Versions | Fixed Versions |
|---|---|---|
| Spring Security | < 5.8.0, < 6.0.0 | 5.8.0+, 6.0.0+ |
| Spring Boot | < 2.7.12, < 3.0.7 | 2.7.12+, 3.0.7+ |
Note: Applications using Spring MVC (non-reactive) are not affected.
Detection Methods
- Static Analysis:
- Search for
**patterns inSecurityWebFilterChainconfigurations. - Example:
@Bean public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { return http .authorizeExchange(exchanges -> exchanges .pathMatchers("/admin/**").hasRole("ADMIN") // Vulnerable if WebFlux is used .anyExchange().permitAll() ) .build(); }
- Search for
- Dynamic Testing:
- Send crafted requests (e.g.,
/admin/../protected) and observe if access is granted.
- Send crafted requests (e.g.,
4. Recommended Mitigation Strategies
Immediate Remediation
- Upgrade Spring Security & Spring Boot:
- Spring Security: Upgrade to 5.8.0+ or 6.0.0+.
- Spring Boot: Upgrade to 2.7.12+ or 3.0.7+.
- Replace
**with Explicit Paths:- Avoid using
**in WebFlux security configurations. - Use explicit path patterns (e.g.,
/admin/{*path}instead of/admin/**).
- Avoid using
- Apply Path-Matching Consistency:
- Ensure Spring Security and WebFlux use the same path-matching strategy (e.g.,
PathPatternParserfor both).
- Ensure Spring Security and WebFlux use the same path-matching strategy (e.g.,
Workarounds (If Upgrade Not Possible)
- Use
PathPatternParserin Spring Security:@Bean public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { return http .authorizeExchange(exchanges -> exchanges .pathMatchers(new PathPatternParser(), "/admin/{*path}").hasRole("ADMIN") .anyExchange().permitAll() ) .build(); } - Implement Custom Path Matching:
- Override default path matching to enforce stricter rules.
Long-Term Best Practices
- Security Configuration Review:
- Audit all
SecurityWebFilterChainconfigurations for**usage.
- Audit all
- Automated Scanning:
- Use SAST/DAST tools (e.g., SonarQube, OWASP ZAP) to detect misconfigurations.
- Least Privilege Principle:
- Restrict access to sensitive endpoints with granular permissions.
5. Impact on the Cybersecurity Landscape
Broader Implications
- Increased Attack Surface:
- Many microservices and cloud-native applications use Spring WebFlux, making this a widespread risk.
- Supply Chain Risks:
- Third-party libraries and dependencies may inherit this vulnerability.
- Compliance Violations:
- Unauthorized access could lead to GDPR, HIPAA, or PCI-DSS violations.
Industry Response
- CISA Advisory: Included in Known Exploited Vulnerabilities (KEV) Catalog (if actively exploited).
- Vendor Patches: VMware (Spring) released emergency patches to address the issue.
- Security Community Awareness:
- OWASP and other security organizations have highlighted path traversal and security misconfiguration risks.
6. Technical Details for Security Professionals
Deep Dive: Path-Matching Inconsistency
Spring Security (AntPathMatcher)
**matches zero or more path segments (e.g.,/admin/**matches/admin,/admin/user,/admin/user/profile).- Case-sensitive by default.
Spring WebFlux (PathPatternParser)
**is more restrictive and may not match certain path traversal attempts.- Case-insensitive by default (unless configured otherwise).
Exploitation Flow
- Request:
GET /admin/../secret - Spring Security: Matches
/admin/**→ Allows (if role-based auth passes). - Spring WebFlux: Does not match
/admin/**→ Would block (but Security already allowed it). - Result: Security bypass occurs.
Forensic & Detection Methods
- Log Analysis:
- Check for unexpected 200 OK responses on sensitive endpoints.
- Look for path traversal attempts (
/../,//).
- Network Traffic Monitoring:
- Detect anomalous HTTP requests to restricted paths.
- SIEM Correlation:
- Alert on unauthorized access to admin/API endpoints.
Exploit Development Considerations
- Fuzzing Techniques:
- Use Burp Suite, OWASP ZAP, or custom scripts to test path variations.
- Bypass Testing:
- Attempt URL encoding, double slashes, and path traversal (e.g.,
%2e%2e%2f).
- Attempt URL encoding, double slashes, and path traversal (e.g.,
Conclusion & Recommendations
CVE-2023-34034 is a critical security misconfiguration that highlights the importance of consistent path-matching in security frameworks. Organizations using Spring WebFlux with Spring Security must:
- Immediately upgrade to patched versions.
- Audit security configurations for
**patterns. - Implement compensating controls (e.g., WAF rules, stricter path matching).
- Monitor for exploitation attempts via logs and SIEM.
Failure to address this vulnerability could lead to unauthorized access, data breaches, and compliance violations. Security teams should prioritize remediation and conduct thorough testing post-patch.
References:
References
security@vmware.com
https://security.netapp.com/advisory/ntap-20230814-0008/security@vmware.com
https://spring.io/security/cve-2023-34034af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20230814-0008/af854a3a-2127-422b-91ae-364da2661108
https://spring.io/security/cve-2023-34034