CVE-2023–34035: Improper Authorization

In this post, I will share how I discovered CVE-2023–34035, a CVE Misconfiguration in the famous Spring Security Project.

For those who are using Spring Boot to build and deploy their JVM applications, you have probably already encountered Spring Security. So the following snippet may ring a bell for you:

@EnableWebSecurity
@EnableMethodSecurity
@Configuration
class SecurityConfiguration{
  @Bean
      fun securityFilterChain(
          httpSecurity: HttpSecurity,
      ): SecurityFilterChain {
          httpSecurity
              .cors().disable()
              .csrf().disable()
          httpSecurity.authorizeHttpRequests()
              .requestMatchers(HttpMethod.POST, "/api").hasAuthority("SCOPE_toto")
              .anyRequest().permitAll()
          httpSecurity.oauth2ResourceServer().jwt()
          return httpSecurity.build()
      }
}

The above code snippet configures the web application in such a way that all requests are authorized by default, except for POST requests with the path /api, which require the authority SCOPE_toto. This means that the JWT token of the current user must contain the scope toto.

How I discovered the misconfiguration is not really something only a genius could have done. It was relatively straightforward.