High-Severity Access Control Vulnerability Found in Spring WebFlux

Written by

A new security loophole has been found in Spring Security’s latest versions. Tracked as CVE-2023-34034, the flaw has a CVSS score of 9.8.

Spring Security is an integral part of the Java-based Spring Framework, catering to robust authentication and access control. With its broad user base, a security flaw within it could lead to devastating outcomes. 

An investigation on the vulnerability, conducted by JFrog’s researchers and described in an advisory published on Tuesday, aims to shed light on the exact nature of the flaw, its potential victims and a proof-of-concept (POC) illustrating the scenarios in which this flaw could be triggered for unauthorized access.

From a technical standpoint, the bug centers around a filter bypass issue that can allow unauthorized users to gain access to sensitive areas of applications built on Spring WebFlux. This exploit can potentially compromise the security and integrity of the applications in question.

The vulnerability affects web applications that utilize the Spring WebFlux framework, employ specific vulnerable Spring Security versions (e.g., 5.6.0) and use URL path filtering without a leading forward-slash, along with the inclusion of multiple-segment wildcards (e.g., .pathMatchers("admin/**")).

Read more on access control vulnerabilities: Cisco Enterprise Switch Flaw Exposes Encrypted Traffic

“Even though the given NVD Severity Score is Critical, this is only applicable to very specific cases detailed in our write-up and doesn’t affect all Spring applications by default. Applications utilizing the older ‘Spring MVC’ framework remain unaffected,” clarified Yair Mizrahi, a senior security researcher at JFrog.

“For the vulnerability to apply, the targeted Spring WebFlux applications must use a vulnerable version of Spring Security for authentication and access control.”

Despite this, DevOps teams and software developers are strongly advised to take prompt action to upgrade to secure versions of Spring Security or apply the recommended fixes contained in the JFrog advisory.

What’s hot on Infosecurity Magazine?