SB2023071828 - Incorrect authorization in Spring Security
Published: July 18, 2023 Updated: October 18, 2023
Security Bulletin ID
SB2023071828
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Incorrect authorization (CVE-ID: CVE-2023-34035)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to authorization rule misconfiguration if the application uses requestMatchers(String) or requestMatchers(HttpMethod, String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. A remote attacker can bypass authorization rules and gain unauthorized access to the application.
Remediation
Install update from vendor's website.