CVE-2023-34035: 
Java vulnerability analysis and mitigation

Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 are affected by a high-severity vulnerability (CVE-2023-34035) that could lead to authorization rule misconfiguration. The vulnerability was discovered and reported by senior software engineer Mouad Kondah from Kudelski Security and was publicly disclosed on July 17, 2023. The issue affects applications using Spring MVC's DispatcherServlet along with multiple servlets and specific requestMatcher configurations (Spring Advisory, NVD).

The vulnerability occurs when specific conditions are met: Spring MVC is present on the classpath, Spring Security is securing multiple servlets including Spring MVC's DispatcherServlet (a component that maps HTTP endpoints to methods on @Controller-annotated classes), and the application uses requestMatchers(String) or requestMatchers(HttpMethod, String). The vulnerability has received a CVSS v3.1 base score of 7.3 (HIGH) from VMware and 5.3 (MEDIUM) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability can lead to authorization rule misconfiguration, potentially allowing unauthorized access to protected endpoints. This could result in security bypasses and compromise the application's access control mechanisms (Spring Advisory).

Users are advised to upgrade to patched versions: 5.8.x users should upgrade to 5.8.5, 6.0.x users should upgrade to 6.0.5, and 6.1.x users should upgrade to 6.1.2. If using multiple servlets with Spring MVC's DispatcherServlet, users may need to modify their configuration based on error messages at startup. For non-Spring MVC endpoints, it's recommended to use requestMatchers(new AntPathRequestMatcher('/endpoint')) instead of requestMatchers(String) (Spring Advisory, Security Online).