CVE-2023-20860

Summary

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Affected Software

VendorProductVersion RangeStatus
n/aSpring FrameworkSpring Framework (versions 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25)affected

Weaknesses

  • Potential for security bypass with Spring mvcRequestMatcher configuration

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References