Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4vpr-xfrp-cj64: Spring Security's authorization rules can be misconfigured when using multiple servlets

Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.)

Specifically, an application is vulnerable when all of the following are true:

  • Spring MVC is on the classpath
  • Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet)
  • The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints

An application is not vulnerable if any of the following is true:

  • The application does not have Spring MVC on the classpath
  • The application secures no servlets other than Spring MVC’s DispatcherServlet
  • The application uses requestMatchers(String) only for Spring MVC endpoints
ghsa
#git#java#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-34035

Spring Security’s authorization rules can be misconfigured when using multiple servlets

High severity GitHub Reviewed Published Jul 18, 2023 to the GitHub Advisory Database • Updated Jul 19, 2023

Package

maven org.springframework.security:spring-security-config (Maven)

Affected versions

>= 5.8.0, < 5.8.5

>= 6.0.0, < 6.0.5

>= 6.1.0, < 6.1.2

Patched versions

5.8.5

6.0.5

6.1.2

Published to the GitHub Advisory Database

Jul 18, 2023

Last updated

Jul 19, 2023

Related news

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVE-2023-34035: CVE-2023-34035: Authorization rules can be misconfigured when using multiple servlets

Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.) Specifically, an application is vulnerable when all of the following are true: * Spring MVC is on the classpath * Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet) * The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints An application is not vulnerable if any of the following is true: * The application does not have Spring MVC on the classpath * The application secures no servlets other than Spring MVC’s DispatcherServlet * The application uses requestMatchers(Strin...