vulnerability

Red Hat OpenShift: CVE-2023-20860: springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:C/A:N)	2023-03-27	2023-06-26	2025-04-11

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:C/A:N)

Published

2023-03-27

Added

2023-06-26

Modified

2025-04-11

Description

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Solution

linuxrpm-upgrade-jenkins

References

CVE-2023-20860
https://attackerkb.com/topics/CVE-2023-20860
REDHAT-RHSA-2023:2100
REDHAT-RHSA-2023:3185
REDHAT-RHSA-2023:3610
REDHAT-RHSA-2023:3622
REDHAT-RHSA-2023:3625
REDHAT-RHSA-2023:3663
REDHAT-RHSA-2023:3771
REDHAT-RHSA-2023:3954
REDHAT-RHSA-2023:4612
REDHAT-RHSA-2023:4983

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today