Improper Authorization Affecting org.springframework.security:spring-security-config package, versions [5.8.0,5.8.5) [6.0.0,6.0.5) [6.1.0,6.1.2)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-5777882
- published 18 Jul 2023
- disclosed 18 Jul 2023
- credit Mouad Kondah from Kudelski Security
Introduced: 18 Jul 2023
CVE-2023-34035 Open this link in a new tabHow to fix?
Upgrade org.springframework.security:spring-security-config to version 5.8.5, 6.0.5, 6.1.2 or higher.
Overview
org.springframework.security:spring-security-config is a security configuration package for Spring Framework.
Affected versions of this package are vulnerable to Improper Authorization due to improper validation in the requestMatchers, leading to authorization rule misconfiguration when the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet.
Notes:
An application is only vulnerable when all of the following are true:
Spring MVC is on the
classpath.Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s
DispatcherServlet).The application uses
requestMatchers(String)to refer to endpoints that are not Spring MVC endpoints.