CVE-2023-34035 Overview
CVE-2023-34035 is an authorization bypass vulnerability affecting VMware Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2. The vulnerability occurs when applications use requestMatchers(String) in conjunction with multiple servlets, including Spring MVC's DispatcherServlet, potentially leading to authorization rule misconfiguration that could allow unauthorized access to protected endpoints.
Critical Impact
Applications meeting specific configuration criteria may have authorization rules applied incorrectly, potentially exposing non-Spring MVC endpoints to unauthorized access.
Affected Products
- VMware Spring Security 5.8 prior to 5.8.5
- VMware Spring Security 6.0 prior to 6.0.5
- VMware Spring Security 6.1 prior to 6.1.2
Discovery Timeline
- 2023-07-18 - CVE-2023-34035 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-34035
Vulnerability Analysis
This vulnerability stems from improper authorization rule handling when Spring Security is configured to protect multiple servlets within a single application. The DispatcherServlet, Spring MVC's core component responsible for mapping HTTP endpoints to @Controller-annotated classes, can cause authorization rules to be misapplied when used alongside other servlets.
An application is vulnerable only when all of the following conditions are true:
- Spring MVC is on the classpath
- Spring Security is securing more than one servlet in a single application (one of them being Spring MVC's DispatcherServlet)
- The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints
Conversely, an application is not vulnerable if any of the following is true:
- The application does not have Spring MVC on the classpath
- The application secures no servlets other than Spring MVC's DispatcherServlet
- The application uses requestMatchers(String) only for Spring MVC endpoints
Root Cause
The root cause is classified as CWE-863 (Incorrect Authorization). The vulnerability arises from how Spring Security processes authorization rules when requestMatchers(String) is used in multi-servlet environments. The framework incorrectly applies request matching logic intended for Spring MVC endpoints to non-Spring MVC servlets, resulting in authorization rules not being enforced as intended.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests to non-Spring MVC endpoints that should be protected by authorization rules but are not properly secured due to the misconfiguration. The exploitation does not require any privileges, making it accessible to unauthenticated remote attackers targeting exposed endpoints.
When the misconfiguration is present, authorization checks that developers expect to be enforced on certain endpoints may be bypassed entirely, allowing unauthorized access to application functionality or data that was intended to be restricted.
Detection Methods for CVE-2023-34035
Indicators of Compromise
- Unexpected access to protected endpoints by unauthenticated or unauthorized users
- Access log entries showing successful requests to endpoints that should require authentication
- Anomalous traffic patterns to non-Spring MVC servlet endpoints
- Authentication events not correlating with access to protected resources
Detection Strategies
- Review application configuration to identify usage of requestMatchers(String) with non-Spring MVC endpoints
- Audit servlet configurations to identify applications using multiple servlets including DispatcherServlet
- Implement security testing to verify authorization rules are correctly applied across all endpoints
- Monitor for unauthorized access attempts to protected resources
Monitoring Recommendations
- Enable detailed access logging for all servlet endpoints to track authorization decisions
- Configure alerting for access to sensitive endpoints without corresponding authentication events
- Implement application-level auditing to capture authorization decisions and their outcomes
- Review SentinelOne Singularity Platform alerts for anomalous application behavior patterns
How to Mitigate CVE-2023-34035
Immediate Actions Required
- Upgrade Spring Security to version 5.8.5, 6.0.5, or 6.1.2 or later depending on your current version
- Audit all requestMatchers(String) configurations in your security configuration classes
- Verify that authorization rules are correctly applied to all servlets in multi-servlet applications
- Conduct penetration testing to validate authorization enforcement across all endpoints
Patch Information
VMware has released patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- Spring Security 5.8.5 or later for 5.8.x branch
- Spring Security 6.0.5 or later for 6.0.x branch
- Spring Security 6.1.2 or later for 6.1.x branch
For detailed patch information and upgrade guidance, refer to the Spring Security Advisory CVE-2023-34035.
Workarounds
- Use requestMatchers(HttpMethod, String) instead of requestMatchers(String) to be more explicit about endpoint matching
- Configure authorization rules using MvcRequestMatcher explicitly for Spring MVC endpoints
- Separate servlet configurations to avoid mixing Spring MVC and non-Spring MVC servlets under the same security configuration
- Implement additional authorization checks at the application layer as a defense-in-depth measure
# Verify current Spring Security version in Maven projects
mvn dependency:tree | grep spring-security
# Verify current Spring Security version in Gradle projects
./gradlew dependencies | grep spring-security
# Update pom.xml to patched version (example for 6.1.x branch)
# <spring-security.version>6.1.2</spring-security.version>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
