CVE-2023-34034: Spring Security Authentication Bypass Vulnerability

1. Summary

2. About the Vulnerability CVE-2023-34034

2.1 About the Component

Spring Security is a security framework that provides authentication, authorization, and other security features to protect web applications from attacks. Its goal is to ensure that only authenticated and authorized users can access certain parts of the application or perform specific actions.

While Spring Security was initially developed to protect Servlet-based applications, it has been extended to provide support for securing reactive applications based on Spring WebFlux.

2.2 About the Vulnerability

On July 19, 2023, Sangfor FarSight Labs received notification about an authentication bypass vulnerability in Spring Security, identified as CVE-2023-34034, with a severity rating of Critical (CVSS Score 9.1).

The vulnerability arises from using an un-prefixed double wildcard pattern "**" in Spring Security configuration for WebFlux. This creates a mismatch in pattern matching between Spring Security and Spring WebFlux, which can potentially be exploited by an attacker to bypass security restrictions.

In Spring Security, the URL patterns used to define security constraints are specified as regular expressions. The "**" pattern matches any URL, which means that if you use it in your configuration, any request will be subject to the security constraints that you have defined.

However, in Spring WebFlux, the ** pattern is not interpreted as a regular expression. Instead, it is interpreted as a literal match for any URL that begins with the specified path. This means that if you use the ** pattern in your Spring Security configuration for WebFlux, you may not be enforcing the security constraints that you intended.

For example, if you have the following configuration in your Spring Security configuration:

http.authorizeRequests().antMatchers("/**").authenticated();

This will require all requests to be authenticated, regardless of the URL. However, if you use Spring WebFlux, this configuration will only require requests that begin with the "/" path to be authenticated. This means that requests to other paths, such as "/api/v1/users", will not be subject to any security constraints. Attackers may manipulate the URL path in a way that exploits the inconsistency between the two components, allowing them to access protected resources that should have been secured by Spring Security.

3. Affected Versions

6.1.0 ≤ Spring Security ≤ 6.1.1
6.0.0 ≤ Spring Security ≤ 6.0.4
5.8.0 ≤ Spring Security ≤ 5.8.4
5.7.0 ≤ Spring Security ≤ 5.7.9
5.6.0 ≤ Spring Security ≤ 5.6.11

4. Solutions

4.1 Spring Solution

4.1.1 Version Upgrade

Spring has released updated versions of Spring Security (6.1.2 / 6.0.5 / 5.8.5 / 5.7.10 / 5.6.12) to fix the vulnerability, and users are recommended to upgrade as quickly as possible. Link: https://spring.io/projects/spring-security

The above versions require Spring Framework versions: 6.0.11+ / 5.3.29+ / 5.2.25+

5. Timeline

On July 19, 2023, Sangfor FarSight Labs received notification about the Spring WebFlux Authentication Bypass Vulnerability (CVE-2023-34034).

On July 19, 2023, Sangfor FarSight Labs released a vulnerability alert.

6. Reference

https://spring.io/security/cve-2023-34034

https://nvd.nist.gov/vuln/detail/CVE-2023-34034

7. Learn More

Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.