CVE-2023-34034 Overview
CVE-2023-34034 is a critical authorization bypass vulnerability in VMware Spring Security affecting WebFlux applications. The vulnerability arises from a mismatch in pattern matching behavior between Spring Security and Spring WebFlux when using the "**" wildcard pattern in security configuration. This discrepancy creates conditions where security rules may not be applied as intended, allowing attackers to bypass authentication and authorization controls to access protected resources.
Critical Impact
Attackers can exploit the pattern matching mismatch to bypass security controls in Spring WebFlux applications, potentially gaining unauthorized access to protected endpoints and sensitive data without authentication.
Affected Products
- VMware Spring Security 5.6.x prior to 5.6.12
- VMware Spring Security 5.7.x prior to 5.7.9
- VMware Spring Security 6.0.x prior to 6.0.5
- VMware Spring Security 6.1.x prior to 6.1.2
Discovery Timeline
- 2023-07-19 - CVE CVE-2023-34034 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-34034
Vulnerability Analysis
This vulnerability falls under the category of Authorization Bypass (CWE-281: Improper Preservation of Permissions). The fundamental issue lies in how Spring Security and Spring WebFlux interpret the "**" wildcard pattern differently when used in security configurations.
In Spring Security, the "**" pattern is commonly used to match any path or path segment in URL patterns for access control rules. However, when applied to WebFlux applications, the pattern matching semantics differ between the security framework and the WebFlux routing layer. This semantic mismatch means that certain URL paths that should be protected by security rules may be interpreted differently by Spring WebFlux, allowing requests to reach endpoints that were intended to be secured.
The vulnerability is particularly dangerous because developers may believe their applications are properly secured based on their Spring Security configuration, while in reality, certain attack paths remain accessible due to the pattern matching inconsistency.
Root Cause
The root cause of CVE-2023-34034 is the inconsistent interpretation of the "" wildcard pattern between Spring Security's PathPattern matching implementation and Spring WebFlux's routing mechanism. When developers configure security rules using "" patterns expecting consistent behavior, the divergent interpretation creates security gaps.
Spring Security's pattern matching logic and Spring WebFlux's path matching use different algorithms for resolving multi-segment wildcards, leading to edge cases where URLs that should match a security rule are not properly captured, effectively bypassing the intended access controls.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction to exploit. An attacker can craft specific URL paths that exploit the pattern matching discrepancy to access protected resources.
The attack typically involves:
- Identifying WebFlux endpoints protected by security rules using "**" patterns
- Crafting malformed or specially structured URL paths that bypass the security pattern matching
- Directly accessing protected endpoints that should require authentication or authorization
Since no verified proof-of-concept code examples are available, the exploitation mechanics involve manipulating URL path structures to exploit the semantic differences in wildcard pattern interpretation. For detailed technical information, refer to the Spring Security CVE Analysis.
Detection Methods for CVE-2023-34034
Indicators of Compromise
- Unusual access patterns to WebFlux endpoints that should require authentication
- HTTP requests with malformed or unconventional URL path structures targeting protected resources
- Successful responses (HTTP 200) to endpoints that should return authentication errors (HTTP 401/403)
- Log entries showing access to administrative or sensitive endpoints from unauthenticated sessions
Detection Strategies
- Review Spring Security configurations for WebFlux applications using "**" wildcard patterns
- Implement web application firewall (WAF) rules to detect path manipulation attempts
- Enable detailed access logging for all WebFlux endpoints to identify unauthorized access attempts
- Deploy runtime application self-protection (RASP) solutions to monitor authentication bypass attempts
Monitoring Recommendations
- Monitor application logs for authentication bypass indicators and unexpected successful authentications
- Set up alerts for access to sensitive endpoints from unexpected source IPs or without valid session tokens
- Implement security information and event management (SIEM) correlation rules for detecting pattern-based bypass attempts
- Conduct regular security audits of Spring Security configurations to identify vulnerable patterns
How to Mitigate CVE-2023-34034
Immediate Actions Required
- Upgrade Spring Security to a patched version: 5.6.12+, 5.7.9+, 6.0.5+, or 6.1.2+ depending on your version branch
- Review and audit all Spring Security configurations that use "**" wildcard patterns in WebFlux applications
- Implement additional authentication checks at the controller level as defense-in-depth
- Consider using more specific path patterns instead of broad "**" wildcards where possible
Patch Information
VMware has released patched versions of Spring Security that address the pattern matching inconsistency. Organizations should upgrade to the following minimum versions:
- Spring Security 5.6.12 for the 5.6.x branch
- Spring Security 5.7.9 for the 5.7.x branch
- Spring Security 6.0.5 for the 6.0.x branch
- Spring Security 6.1.2 for the 6.1.x branch
For complete patch details and upgrade instructions, refer to the Spring Security CVE Advisory and the NetApp Security Advisory.
Workarounds
- Avoid using "**" wildcard patterns in Spring Security configurations for WebFlux applications until patches can be applied
- Use explicit, fully-qualified path patterns instead of wildcards for critical security rules
- Implement method-level security annotations (@PreAuthorize, @Secured) as an additional layer of protection
- Deploy a reverse proxy or WAF with strict path validation rules to filter potentially malicious requests
# Verify Spring Security version in Maven project
mvn dependency:tree | grep spring-security
# Update Spring Security in pom.xml to patched version (example for 6.1.x)
# <dependency>
# <groupId>org.springframework.security</groupId>
# <artifactId>spring-security-core</artifactId>
# <version>6.1.2</version>
# </dependency>
# Verify Gradle dependencies
./gradlew dependencies | grep spring-security
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
