CVE-2023-34035

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.8 prior to 5.8.5 Spring Security versions 6.0 prior to 6.0.5 Spring Security versions 6.1 prior to 6.1.2

Description The issue is related to authorization rule misconfiguration in Spring Security when using multiple servlets, including Spring MVC's DispatcherServlet. This can occur when the application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints. An application is vulnerable if Spring MVC is on the classpath, Spring Security is securing more than one servlet, and the application uses requestMatchers(String) for non-Spring MVC endpoints.

Recommendations For Spring Security versions 5.8 prior to 5.8.5, update to version 5.8.5 or later. For Spring Security versions 6.0 prior to 6.0.5, update to version 6.0.5 or later. For Spring Security versions 6.1 prior to 6.1.2, update to version 6.1.2 or later. As a temporary workaround, consider restricting the use of requestMatchers(String) to only Spring MVC endpoints until a patch is available. Restrict access to the DispatcherServlet to minimize the risk of exploitation. Avoid using the requestMatchers(String) function for non-Spring MVC endpoints until the issue is resolved.