Critical severityNVD Advisory· Published Jul 19, 2023· Updated May 1, 2026
CVE-2023-34034
CVE-2023-34034
Description
Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-configMaven | >= 5.6.0, < 5.6.12 | 5.6.12 |
org.springframework.security:spring-security-configMaven | >= 5.7.0, < 5.7.10 | 5.7.10 |
org.springframework.security:spring-security-configMaven | >= 5.8.0, < 5.8.5 | 5.8.5 |
org.springframework.security:spring-security-configMaven | >= 6.0.0, < 6.0.5 | 6.0.5 |
org.springframework.security:spring-security-configMaven | >= 6.1.0, < 6.1.2 | 6.1.2 |
Affected products
1- Range: Spring Security 6.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-3h6f-g5f3-gc4wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-34034ghsaADVISORY
- ossindex.sonatype.org/vulnerability/CVE-2023-34034ghsaWEB
- security.netapp.com/advisory/ntap-20230814-0008ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-5777893ghsaWEB
- spring.io/security/cve-2023-34034ghsaWEB
- security.netapp.com/advisory/ntap-20230814-0008/mitre
News mentions
0No linked articles in our index yet.