Spring WebFlux uses unprefixed double wildcard pattern to bypass security CVE-2023-34034

Article directory

0.Preface
- loopholes
- Vulnerability introduction
- describe
1. Reference documents
2.Basic introduction
3.Solution
- 3.1. Upgrade version
4. Vulnerability repair source code analysis
5. Vulnerability Exploitation Examples

0.Foreword

Background: Scanning company projects into WebFlux using “**” as a pattern will lead to the CVE-2023-34034 vulnerability between Spring Security and Spring WebFlux.

Vulnerability

High | July 18, 2023 | CVE-2023-34034

Using “**” as a pattern in a Spring Security configured WebFlux can cause a pattern matching mismatch between Spring Security and Spring WebFlux, potentially leading to a security bypass. .

Vulnerability introduction

CVE-2023-34034: WebFlux uses unprefixed double wildcard pattern to bypass security

Description

Using “**” as a pattern in a Spring Security configured WebFlux can cause a pattern matching mismatch between Spring Security and Spring WebFlux, potentially leading to a security bypass.

Affected Spring products and versions
Spring Security:
6.1.0 to 6.1.1
6.0.0 to 6.0.4
5.8.0 to 5.8.4
5.7.0 to 5.7.9
5.6.0 to 5.6.11

The following Spring Security versions fix this vulnerability:

6.1.2+
6.0.5+
5.8.5+
5.7.10+
5.6.12+ The above versions require the following Spring Framework versions:

6.0.11+
5.3.29+
5.2.25+

1. Reference documents

CVE official website https://www.cve.org/CVERecord
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/ A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC: H/MI:H/MA:N &version=3.1
https://security.netapp.com/advisory/ntap-20230814-0008/

2.Basic introduction

The recently released new version of Spring Security fixes an access control vulnerability named CVE-2023-34034. This vulnerability is rated as a high-severity vulnerability and may have severe impact on Spring WebFlux applications that use Spring Security for authentication and access control.

Spring Security is a widely used Java authentication and access control framework for protecting enterprise-level Java applications. It integrates with Spring Framework and provides strong authentication and authorization capabilities.

Spring WebFlux is a reactive programming alternative introduced in Spring Framework 5 for building asynchronous, non-blocking and reactive applications. It utilizes reactive streaming API to handle requests and is characterized by high performance and scalability.

The specific details of the vulnerability were discovered in the Spring Security's PathPatternParserServerWebExchangeMatcher class. Prior to the fix, this class used the parse() method of the PathPatternParser class to parse path patterns. The fix commit introduces a new parse() function that ensures the pattern starts with a slash before parsing it. However, before the fix, if the pattern did not end in a slash and the request path contained a slash, the path matcher would be bypassed, causing authentication and authorization bypass.

An attacker could exploit this vulnerability to bypass access control by modifying double slashes in the request path, thereby gaining unauthorized access to protected resources.

In order to fix this vulnerability, it is recommended to upgrade to a Spring Security version that fixes the vulnerability as soon as possible. At the same time, access control rules and path patterns in the application need to be reviewed to ensure that they are not affected by this vulnerability. Pay special attention where you use the PathPatternParserServerWebExchangeMatcher class and make sure the path pattern ends with a slash. Additionally, conducting security testing and code reviews are important steps to ensure the security of your application.

Timely updating and fixing security vulnerabilities in applications is one of the key measures to protect the security of applications and user data.

3. Solution

3.1. Upgraded version

The following Spring Security versions fix this vulnerability:

6.1.2 +
6.0.5+
5.8.5+
5.7.10+
5.6.12+

The above version requires the following Spring Framework versions:

6.0.11+
5.3.29+
5.2.25+

4. Vulnerability repair source code analysis

Below is our deep dive into the source code, starting with the fixing commit (7813a9b).

web/src/main/java/org/springframework/security/web/server/util/matcher/PathPatternParserServerWebExchangeMatcher.java

PathPatternParser source code

Before looking at the comparison, we can see that before the fix, the PathPatternParserServerWebExchangeMatcher class used the parse() method implemented in the PathPatternParser class.

The fix commit introduces a new parse() function, implemented by the PathPatternParserServerWebExchangeMatcher class itself, which extends the parse() method of PathPatternParser and adds the initFullPathPattern( ).

As you can see from the source code, this utility function adds a slash to the beginning of the string, if it doesn’t already exist.

The test case clarifies the nature of the problem: if the configured pattern does not end with a slash, and the request path contains a slash, the match will succeed. This effectively allows path matchers to be bypassed.

/**

Prepares the given pattern for matching the full URL path.
By default, a leading slash is added for non-empty patterns.
@param pattern The pattern to initialize
@return updated schema
@since 5.2.25
*/
public String initFullPathPattern(String pattern) {<!-- -->
return (StringUtils.hasLength(pattern) & amp; & amp; !pattern.startsWith("/") ? "/" + pattern : pattern);
}
 
// Looking further at the commit, the newly introduced test validates this assessment:
class PathPatternParserServerWebExchangeMatcherTests {<!-- -->

reasonml
Copy
@Test
void matchesWhenConfiguredWithNoTrailingSlashAndPathContainsSlashThenMatches() {<!-- -->
PathPatternParserServerWebExchangeMatcher matcher = new PathPatternParserServerWebExchangeMatcher("user/**");
MockServerHttpRequest request = MockServerHttpRequest.get("/user/test").build();
assertThat(matcher.matches(MockServerWebExchange.from(request)).Continue from the previous answer:
.build().isMatch()).isTrue();
}

reasonml
Copy
@Test
void matchesWhenConfiguredWithNoTrailingSlashAndPathDoesNotContainSlashThenDoesNotMatch() {<!-- -->
PathPatternParserServerWebExchangeMatcher matcher = new PathPatternParserServerWebExchangeMatcher("user/**");
MockServerHttpRequest request = MockServerHttpRequest.get("/user").build();
assertThat(matcher.matches(MockServerWebExchange.from(request)).build().isMatch()).isFalse();
}

@Test
void matchesWhenConfiguredWithTrailingSlashAndPathContainsSlashThenMatches() {<!-- -->
PathPatternParserServerWebExchangeMatcher matcher = new PathPatternParserServerWebExchangeMatcher("user/**/");
MockServerHttpRequest request = MockServerHttpRequest.get("/user/test").build();
assertThat(matcher.matches(MockServerWebExchange.from(request)).build().isMatch()).isTrue();
}

@Test
void matchesWhenConfiguredWithTrailingSlashAndPathDoesNotContainSlashThenDoesNotMatch() {<!-- -->
PathPatternParserServerWebExchangeMatcher matcher = new PathPatternParserServerWebExchangeMatcher("user/**/");
MockServerHttpRequest request = MockServerHttpRequest.get("/user").build();
assertThat(matcher.matches(MockServerWebExchange.from(request)).build().isMatch()).isFalse();
}
}

5. Vulnerability Exploitation Example

To better understand how the vulnerability is exploited, we can demonstrate it through the following example:

Let’s say we have a Spring WebFlux application configured with the following path pattern:

PathPatternParserServerWebExchangeMatcher matcher = new PathPatternParserServerWebExchangeMatcher("admin/**");

When a user attempts to access the /admin/test path, Spring Security will perform authentication and authorization checks since the path matches the pattern.

Now, if an attacker tries to access the following path:

/admin//test
Note that double slashes (//) in the request path bypass the path matcher’s checks, causing authentication and authorization checks to be bypassed. An attacker can gain unauthorized access to protected resources.