How severe is CVE-2023-34036?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2023-34036?

This is classified as CWE-644, which is a common weakness in software security.

CVE-2023-34036 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle (and possibly discard) forwarded headers either in WebFlux or at the level of the underlying HTTP server. For the application to be affected, it needs to satisfy the following requirements: * It needs to use the reactive web stack (Spring WebFlux) and Spring HATEOAS to create links in hypermedia-based responses. * The application infrastructure does not guard against clients submitting (X-)Forwarded… headers.

Related Vulnerabilities

CVE-2022-34316

MEDIUM

CVSS:5.3(Medium)

IBM CICS TX 11.1 does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers. IBM X-Force ID: 229452.

CWE-6442022

CVE-2024-30129

MEDIUM

CVSS:5.3(Medium)

The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would cause the request to be sent to a completely different domain/IP ad...

CWE-6442024

CVE-2025-0154

MEDIUM

CVSS:5.3(Medium)

IBM TXSeries for Multiplatforms 9.1 and 11.1 could disclose sensitive information to a remote attacker due to improper neutralization of HTTP headers.

CWE-6442025

CVE-2021-38997

MEDIUM

CVSS:5.4(Medium)

IBM API Connect V10.0.0.0 through V10.0.5.0, V10.0.1.0 through V10.0.1.7, and V2018.4.1.0 through 2018.4.1.19 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST...

CWE-6442021

CVE-2022-43847

MEDIUM

CVSS:5.4(Medium)

IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks again...

CWE-6442022

CVE-2023-26289

MEDIUM

CVSS:5.4(Medium)

IBM Aspera Orchestrator 4.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vu...

CWE-6442023