CVE-2023-20860

CWE-1558 documents7 sources

Severity

7.5HIGH

EPSS

56.3%

top 1.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Framework

Timeline

PublishedMar 27

Latest updateJul 15

Description

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDvmware/spring_framework5.3.0 — 5.3.26+1

▶Mavenorg.springframework:spring6.0.0 — 6.0.7+1

▶Mavenorg.springframework:spring-webmvc6.0.0 — 6.0.7+1

▶CVEListV5spring_frameworkSpring Framework (versions 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25)

🔴Vulnerability Details

OSV

Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch↗2023-03-28

▶

GHSA

Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch↗2023-03-28

▶

OSV

CVE-2023-20860: Spring Framework running version 6↗2023-03-27

▶

CVEList

CVE-2023-20860: Spring Framework running version 6↗2023-03-27

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Spring Framework) — CVE-2023-20860↗2023-07-15

▶

Red Hat

springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern↗2023-03-20

▶

Debian

CVE-2023-20860: libspring-java - Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a...↗2023

▶