7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
0.001 Low
EPSS
Percentile
20.4%
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.)
Specifically, an application is vulnerable when all of the following are true:
An application is not vulnerable if any of the following is true:
github.com/advisories/GHSA-4vpr-xfrp-cj64
github.com/spring-projects/spring-security-samples/commit/4e3bec904a5467db28ea33e25ac9d90524b53d66
github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/preauth
github.com/spring-projects/spring-security/commit/bb46a5427005e33e637b15948de8adae244ce547
github.com/spring-projects/spring-security/commit/df239b6448ccf138b0c95b5575a88f33ac35cd9a
nvd.nist.gov/vuln/detail/CVE-2023-34035
spring.io/security/cve-2023-34035