admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-29 01:31:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2023/CVE-2023-340xx/CVE-2023-34035.json
cad-safe-bot e6cbafdc40 Auto-Update: 2024-12-08T03:00:18.988682+00:00
2024-12-08 03:06:42 +00:00

121 lines
4.3 KiB
JSON
Raw Blame History

{
"id": "CVE-2023-34035",
"sourceIdentifier": "security@vmware.com",
"published": "2023-07-18T16:15:11.753",
"lastModified": "2024-11-21T08:06:26.667",
"vulnStatus": "Modified",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Spring Security versions 5.8\u00a0prior to 5.8.5, 6.0\u00a0prior to 6.0.5,\u00a0and 6.1\u00a0prior to 6.1.2\u00a0could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String)\u00a0and multiple servlets, one of them being Spring MVC\u2019s DispatcherServlet.\u00a0(DispatcherServlet\u00a0is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.)\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * Spring MVC is on the classpath\n * Spring Security is securing more than one servlet in a single application (one of them being Spring MVC\u2019s DispatcherServlet)\n * The application uses requestMatchers(String)\u00a0to refer to endpoints that are not Spring MVC endpoints\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not have Spring MVC on the classpath\n * The application secures no servlets other than Spring MVC\u2019s DispatcherServlet\n * The application uses requestMatchers(String)\u00a0only for Spring MVC endpoints\n\n\n\n"
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security@vmware.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "LOW"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4
},
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-863"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.0",
"versionEndExcluding": "5.8.5",
"matchCriteriaId": "C459A8B6-D5BD-4504-90DF-B539AFD4027E"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.0",
"versionEndExcluding": "6.0.5",
"matchCriteriaId": "9FC21F29-5A00-49C9-BDBD-F488E6E35AE3"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.0",
"versionEndExcluding": "6.1.2",
"matchCriteriaId": "75F8781A-895F-4602-BA07-32BF2DF04CC9"
}
]
}
]
}
],
"references": [
{
"url": "https://spring.io/security/cve-2023-34035",
"source": "security@vmware.com",
"tags": [
"Exploit",
"Vendor Advisory"
]
},
{
"url": "https://spring.io/security/cve-2023-34035",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink