CVE-2023-20873

CWE-284 — Improper Access Control7 documents6 sources

Severity

9.8CRITICAL

EPSS

0.4%

top 39.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Boot

Timeline

PublishedApr 20

Latest updateOct 15

Description

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDvmware/spring_boot2.6.0 — 2.6.14+3

▶Mavenorg.springframework.boot:spring-boot-actuator-autoconfigure3.0.0 — 3.0.6+3

▶CVEListV5spring_bootSpring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions

🔴Vulnerability Details

CVEList

CVE-2023-20873: In Spring Boot versions 3↗2023-04-20

▶

OSV

Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry↗2023-04-20

▶

GHSA

Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry↗2023-04-20

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Utility (Spring Boot) — CVE-2023-20873↗2023-10-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Security (Spring Boot) — CVE-2023-20873↗2023-07-15

▶

Red Hat

spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry↗2023-05-18

▶