Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-34034
• https://spring.io/security/cve-2023-34034
• https://ossindex.sonatype.org/vulnerability/CVE-2023-34034
• https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-5777893
• https://security.netapp.com/advisory/ntap-20230814-0008