CRITICAL 9.1 Maven
Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch
GHSA-7phw-cxx7-q9vq · CVE-2023-20860
Published · Modified
Description
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-20860
- WEB https://github.com/spring-projects/spring-framework/commit/202fa5cdb3a3d0cfe6967e85fa167d978244f28a
- PACKAGE https://github.com/spring-projects/spring-framework
- WEB https://security.netapp.com/advisory/ntap-20230505-0006
- WEB https://spring.io/security/cve-2023-20860
Ready to move
Start Securing
Free, no credit card | First findings in minutes