Skip to content

How to Fix CVE-2023-34034

Security Vulnerability –

How to remove CRITICAL security vulnerability CVE-2023-34034

Environment –

All the applications using Spring Security configuration as security mechanism.

Root cause –

Using “**” as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

Vulnerability Details –

NVD statusNVD url
9.8 CriticalCVE-2023-34034

Solution –

Upgrade to Spring Security 6 will mitigate this issue.

<properties>
  <spring.security.version>6.1.2</spring.security.version> 
</properties> 

<dependency>    
  <groupId>org.springframework.security</groupId> 
  <artifactId>spring-security-core</artifactId> 
  <version>${spring.security.version}</version> 
</dependency> 

<dependency> 
  <groupId>org.springframework.security</groupId> 
  <artifactId>spring-security-config</artifactId> 
  <version>${spring.security.version}</version> 
</dependency>

Do you have another solution?

The solution provided above is based on the scenario our one of the developers/contributors faced. If you faced the same issue and found any other root cause then please share your solution in the comment section below. We will add the solution in this article.

Leave a Reply

Your email address will not be published. Required fields are marked *