CVE-2023-34036: 
Java vulnerability analysis and mitigation

CVE-2023-34036 is a security vulnerability affecting reactive web applications that use Spring HATEOAS for hypermedia-based responses. The vulnerability was discovered in July 2023 and affects Spring HATEOAS versions 1.5.4 or older, 2.0.4 or older, and 2.1.0. The issue exposes applications to potential exploitation through malicious forwarded headers when proper infrastructure protection is not in place (Spring Advisory).

The vulnerability occurs in applications using the reactive web stack (Spring WebFlux) and Spring HATEOAS to create links in hypermedia-based responses. The core issue lies in the handling of forwarded headers when the application infrastructure does not properly guard against clients submitting (X-)Forwarded headers. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

When exploited, this vulnerability could allow attackers to manipulate forwarded headers in requests, potentially leading to incorrect link generation in hypermedia-based responses. This could affect the application's behavior and potentially lead to security issues related to request routing and resource access (Spring Advisory).

The primary mitigation is to upgrade to patched versions of Spring HATEOAS: 1.5.5 or newer, 2.0.5 or newer, or 2.1.1 or newer. Alternatively, organizations can implement infrastructure measures to ensure that client-submitted (X-)Forwarded headers are disregarded before forwarding requests to the application (Spring Advisory).

The vulnerability was originally detected by Hans Hosea Schaefer from ing.de, and has been acknowledged and addressed by the Spring security team. The fix was included in Spring HATEOAS releases 1.5.5, 2.0.5, 2.1.1, and 2.2 M1, which were subsequently incorporated into Spring Boot versions 2.7.14, 3.0.9, 3.1.2, and 3.2 M1 (Spring Blog).