Home > Vulnerability Database > CVE-2023-34036

Mend.io Vulnerability Database

CVE-2023-34036

Good to know:

Date: July 17, 2023

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle (and possibly discard) forwarded headers either in WebFlux or at the level of the underlying HTTP server. For the application to be affected, it needs to satisfy the following requirements: * It needs to use the reactive web stack (Spring WebFlux) and Spring HATEOAS to create links in hypermedia-based responses. * The application infrastructure does not guard against clients submitting (X-)Forwarded… headers.

Language: Java

Severity Score

5.3

Related Resources (4)

Url: https://github.com/spring-projects/spring-hateoas

Url: https://spring.io/security/cve-2023-34036

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-34036

Url: https://www.mend.io/vulnerability-database/CVE-2023-34036

Severity Score

5.3

Weakness Type (CWE)

Improper Encoding or Escaping of Output

CWE-116

Improper Neutralization of HTTP Headers for Scripting Syntax

CWE-644

Top Fix

Upgrade Version

Upgrade to version org.springframework.hateoas:spring-hateoas:1.5.5,2.0.5,2.1.1

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-34036

Good to know:

Date: July 17, 2023

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?