CVE-2023-34034 - Security Bypass
Severity: None2023-10-20
Abstract
Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v5.1.1 and older | None | Oxygen Content Fusion 6.0 build 2023110109 |
Oxygen Feedback v3.0.2 and older | None | Oxygen Feedback 3.0.3 build 2023083012 |
Detail
CVE-2023-34034
Severity: Critical
CVSS Score: 9.8
The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34034 vulnerability description. However, since Oxygen products does not use WebFlux controllers, this vulnerability does not affect Oxygen products.
Starting with Oxygen Feedback v3.0.3 build 2023083012 Spring Security library was updated to a version which fixes this vulnerability.
Starting with Oxygen Content Fusion v6.0 build 2023110109 Spring Security library was updated to a version which fixes this vulnerability.