Warning: Exploit is available for CVE-2023-34034 a critical vulnerability in Spring Security!
CVE-2023-34034 is a critical RCE vulnerability in the Spring Framework. An attacker can exploit it to bypass security restrictions and thus could highly impact the confidentiality, integrity, and availability of the affected infrastructure.
The Spring Framework is a widely used Java-based application framework that provides infrastructure support for the development of enterprise-level Java applications, the release of a proof-of-concept for the exploitation of the vulnerability highly increase the risks.
The vulnerability (CVE-2023-34034) occurs when un-prefixed double wildcard pattern “**” is used in Spring Security configuration for WebFlux, leading to a mismatch in pattern matching between Spring Security and Spring WebFlux. This can potentially open up a route for a security bypass.
Even if at the time of publication of the vulnerability there was no known exploitation on it, on the 8th of August a proof-of -concept was released.
The vulnerability affects the following Spring Security versions are 6.1.0 to 6.1.1, 6.0.0 to 6.0.4, 5.8.0 to 5.8.4, 5.7.0 to 5.7.9, and 5.6.0 to 5.6.11.
Spring has released updated versions of Spring Security (6.1.2 / 6.0.5 / 5.8.5 / 5.7.10 / 5.6.12) to fix the vulnerability, users are recommended to upgrade as quickly as possible.
The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.