Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-7ceg-a9bh-fkau
Summary
Incorrect Authorization
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.)

Specifically, an application is vulnerable when all of the following are true:

 * Spring MVC is on the classpath
 * Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet)
 * The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints


An application is not vulnerable if any of the following is true:

 * The application does not have Spring MVC on the classpath
 * The application secures no servlets other than Spring MVC’s DispatcherServlet
 * The application uses requestMatchers(String) only for Spring MVC endpoints
Aliases
0
alias CVE-2023-34035
1
alias GHSA-4vpr-xfrp-cj64
Fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-config@5.8.5
purl pkg:maven/org.springframework.security/spring-security-config@5.8.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.8.5
1
url pkg:maven/org.springframework.security/spring-security-config@6.0.5
purl pkg:maven/org.springframework.security/spring-security-config@6.0.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.0.5
2
url pkg:maven/org.springframework.security/spring-security-config@6.1.2
purl pkg:maven/org.springframework.security/spring-security-config@6.1.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.1.2
3
url pkg:maven/org.springframework.security/spring-security-core@5.8.5
purl pkg:maven/org.springframework.security/spring-security-core@5.8.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dwcq-d6nf-1ubn
1
vulnerability VCID-sguk-f634-sfgs
2
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.5
4
url pkg:maven/org.springframework.security/spring-security-core@6.0.5
purl pkg:maven/org.springframework.security/spring-security-core@6.0.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dwcq-d6nf-1ubn
1
vulnerability VCID-sguk-f634-sfgs
2
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.5
5
url pkg:maven/org.springframework.security/spring-security-core@6.1.2
purl pkg:maven/org.springframework.security/spring-security-core@6.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-42hz-39hx-myh7
1
vulnerability VCID-dwcq-d6nf-1ubn
2
vulnerability VCID-sguk-f634-sfgs
3
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.2
Affected_packages
0
url pkg:maven/org.springframework.security/spring-security-config@5.8.0
purl pkg:maven/org.springframework.security/spring-security-config@5.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.8.0
1
url pkg:maven/org.springframework.security/spring-security-config@5.8.1
purl pkg:maven/org.springframework.security/spring-security-config@5.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.8.1
2
url pkg:maven/org.springframework.security/spring-security-config@5.8.2
purl pkg:maven/org.springframework.security/spring-security-config@5.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.8.2
3
url pkg:maven/org.springframework.security/spring-security-config@5.8.3
purl pkg:maven/org.springframework.security/spring-security-config@5.8.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.8.3
4
url pkg:maven/org.springframework.security/spring-security-config@5.8.4
purl pkg:maven/org.springframework.security/spring-security-config@5.8.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-sguk-f634-sfgs
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.8.4
5
url pkg:maven/org.springframework.security/spring-security-config@6.0.0
purl pkg:maven/org.springframework.security/spring-security-config@6.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.0.0
6
url pkg:maven/org.springframework.security/spring-security-config@6.0.1
purl pkg:maven/org.springframework.security/spring-security-config@6.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.0.1
7
url pkg:maven/org.springframework.security/spring-security-config@6.0.2
purl pkg:maven/org.springframework.security/spring-security-config@6.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.0.2
8
url pkg:maven/org.springframework.security/spring-security-config@6.0.3
purl pkg:maven/org.springframework.security/spring-security-config@6.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.0.3
9
url pkg:maven/org.springframework.security/spring-security-config@6.0.4
purl pkg:maven/org.springframework.security/spring-security-config@6.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-sguk-f634-sfgs
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.0.4
10
url pkg:maven/org.springframework.security/spring-security-config@6.1.0
purl pkg:maven/org.springframework.security/spring-security-config@6.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.1.0
11
url pkg:maven/org.springframework.security/spring-security-config@6.1.1
purl pkg:maven/org.springframework.security/spring-security-config@6.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-sguk-f634-sfgs
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.1.1
12
url pkg:maven/org.springframework.security/spring-security-core@5.8.0
purl pkg:maven/org.springframework.security/spring-security-core@5.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-9tg6-2h2y-abah
3
vulnerability VCID-dwcq-d6nf-1ubn
4
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.0
13
url pkg:maven/org.springframework.security/spring-security-core@5.8.1
purl pkg:maven/org.springframework.security/spring-security-core@5.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-dwcq-d6nf-1ubn
3
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.1
14
url pkg:maven/org.springframework.security/spring-security-core@5.8.2
purl pkg:maven/org.springframework.security/spring-security-core@5.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-dwcq-d6nf-1ubn
3
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.2
15
url pkg:maven/org.springframework.security/spring-security-core@5.8.3
purl pkg:maven/org.springframework.security/spring-security-core@5.8.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-dwcq-d6nf-1ubn
3
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.3
16
url pkg:maven/org.springframework.security/spring-security-core@5.8.4
purl pkg:maven/org.springframework.security/spring-security-core@5.8.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-dwcq-d6nf-1ubn
3
vulnerability VCID-sguk-f634-sfgs
4
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.4
17
url pkg:maven/org.springframework.security/spring-security-core@6.0.0
purl pkg:maven/org.springframework.security/spring-security-core@6.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-9tg6-2h2y-abah
3
vulnerability VCID-dwcq-d6nf-1ubn
4
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.0
18
url pkg:maven/org.springframework.security/spring-security-core@6.0.1
purl pkg:maven/org.springframework.security/spring-security-core@6.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-dwcq-d6nf-1ubn
3
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.1
19
url pkg:maven/org.springframework.security/spring-security-core@6.0.2
purl pkg:maven/org.springframework.security/spring-security-core@6.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-dwcq-d6nf-1ubn
3
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.2
20
url pkg:maven/org.springframework.security/spring-security-core@6.0.3
purl pkg:maven/org.springframework.security/spring-security-core@6.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-dwcq-d6nf-1ubn
3
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.3
21
url pkg:maven/org.springframework.security/spring-security-core@6.0.4
purl pkg:maven/org.springframework.security/spring-security-core@6.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ceg-a9bh-fkau
1
vulnerability VCID-8dx4-u4aa-xuet
2
vulnerability VCID-dwcq-d6nf-1ubn
3
vulnerability VCID-sguk-f634-sfgs
4
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.4
22
url pkg:maven/org.springframework.security/spring-security-core@6.1.0
purl pkg:maven/org.springframework.security/spring-security-core@6.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-42hz-39hx-myh7
1
vulnerability VCID-7ceg-a9bh-fkau
2
vulnerability VCID-8dx4-u4aa-xuet
3
vulnerability VCID-dwcq-d6nf-1ubn
4
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.0
23
url pkg:maven/org.springframework.security/spring-security-core@6.1.1
purl pkg:maven/org.springframework.security/spring-security-core@6.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-42hz-39hx-myh7
1
vulnerability VCID-7ceg-a9bh-fkau
2
vulnerability VCID-8dx4-u4aa-xuet
3
vulnerability VCID-dwcq-d6nf-1ubn
4
vulnerability VCID-sguk-f634-sfgs
5
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.1
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-34035
reference_id
reference_type
scores
0
value 0.02176
scoring_system epss
scoring_elements 0.8428
published_at 2026-04-02T12:55:00Z
1
value 0.02176
scoring_system epss
scoring_elements 0.84345
published_at 2026-04-11T12:55:00Z
2
value 0.02176
scoring_system epss
scoring_elements 0.84327
published_at 2026-04-09T12:55:00Z
3
value 0.02176
scoring_system epss
scoring_elements 0.84321
published_at 2026-04-08T12:55:00Z
4
value 0.02176
scoring_system epss
scoring_elements 0.84299
published_at 2026-04-07T12:55:00Z
5
value 0.02472
scoring_system epss
scoring_elements 0.85275
published_at 2026-04-12T12:55:00Z
6
value 0.02472
scoring_system epss
scoring_elements 0.85291
published_at 2026-04-21T12:55:00Z
7
value 0.02472
scoring_system epss
scoring_elements 0.85294
published_at 2026-04-18T12:55:00Z
8
value 0.02472
scoring_system epss
scoring_elements 0.85293
published_at 2026-04-16T12:55:00Z
9
value 0.02472
scoring_system epss
scoring_elements 0.85272
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-34035
1
reference_url https://github.com/spring-projects/spring-security/commit/bb46a5427005e33e637b15948de8adae244ce547
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/commit/bb46a5427005e33e637b15948de8adae244ce547
2
reference_url https://github.com/spring-projects/spring-security/commit/df239b6448ccf138b0c95b5575a88f33ac35cd9a
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/commit/df239b6448ccf138b0c95b5575a88f33ac35cd9a
3
reference_url https://github.com/spring-projects/spring-security-samples/commit/4e3bec904a5467db28ea33e25ac9d90524b53d66
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security-samples/commit/4e3bec904a5467db28ea33e25ac9d90524b53d66
4
reference_url https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/preauth
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/preauth
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-34035
reference_id CVE-2023-34035
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-34035
6
reference_url https://spring.io/security/cve-2023-34035
reference_id CVE-2023-34035
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T15:47:27Z/
url https://spring.io/security/cve-2023-34035
7
reference_url https://github.com/advisories/GHSA-4vpr-xfrp-cj64
reference_id GHSA-4vpr-xfrp-cj64
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4vpr-xfrp-cj64
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 863
name Incorrect Authorization
description The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-7ceg-a9bh-fkau