CVE-2023-34034: 
Java vulnerability analysis and mitigation

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, leading to a potential security bypass. The vulnerability (CVE-2023-34034) affects Spring Security versions 6.1.0-6.1.1, 6.0.0-6.0.4, 5.8.0-5.8.4, 5.7.0-5.7.9, and 5.6.0-5.6.11. This critical vulnerability was discovered and responsibly disclosed by tkswifty and Ha1c9on (Spring Advisory).

The vulnerability occurs when URL path patterns in Spring Security configuration do not begin with a forward-slash character (/). For example, using pathMatchers("admin/") instead of pathMatchers("/admin/") creates a pattern matching mismatch between Spring Security and Spring WebFlux. This mismatch is particularly severe when using the multiple-segments wildcard character (**), as it affects all pages under the specified URL path. The vulnerability received a CVSS score of 9.8 (Critical) from NVD (NVD Database).

Successful exploitation of this vulnerability could lead to authentication bypass, allowing unauthorized access to protected endpoints. For instance, if an application uses pathMatchers("admin/**") to restrict access to administrative pages, an attacker could access these protected pages without proper authentication. This could result in unauthorized access to sensitive information and potential modification of protected data (JFrog Analysis).

The primary mitigation is to upgrade Spring Security to one of the following versions: 6.1.2+, 6.0.5+, 5.8.5+, 5.7.10+, or 5.6.12+. These updates require corresponding Spring Framework versions: 6.0.11+, 5.3.29+, or 5.2.25+. Alternatively, as a workaround, administrators can add a leading forward-slash (/) to any URL filter used in Spring Security configurations (Spring Advisory).