CVE-2023-20860
published 2023-03-27CVE-2023-20860: Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a…
high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libspring-java | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | >= 5.3.0 < 5.3.26 | 5.3.26 |
| vmware | spring_framework | >= 6.0.0 < 6.0.7 | 6.0.7 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH