CVE-2023-34034 - Security Bypass

Severity: None2023-10-20

Security Advisories

Abstract

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v5.1.1 and olderNone Oxygen Content Fusion 6.0 build 2023110109
Oxygen Feedback v3.0.2 and olderNone Oxygen Feedback 3.0.3 build 2023083012

Mitigation

None

Detail

CVE-2023-34034

Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34034 vulnerability description. However, since Oxygen products does not use WebFlux controllers, this vulnerability does not affect Oxygen products.

Starting with Oxygen Feedback v3.0.3 build 2023083012 Spring Security library was updated to a version which fixes this vulnerability.

Starting with Oxygen Content Fusion v6.0 build 2023110109 Spring Security library was updated to a version which fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Declarative Amsterdam 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor