CVE-2023-20860
Aliases:GHSA-7phw-cxx7-q9vq
Advisory lineage Upstream: 0 Downstream: 7
Modified
Published: 27 Mar 2023, 00:00
Last modified:19 Feb 2025, 19:05
Vulnerability Summary
Overall Risk (default)
medium
41/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
56.28% CRITICAL
56% probability -0.08%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
27 Mar 2023, 00:00
Published
Vulnerability first disclosed
19 Feb 2025, 19:05
Last Modified
Vulnerability information updated
Description
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Trends
Current EPSS score: 56.28%• Percentile: 98%
Affected Systems
- org.springframework•spring
≥ 6.0.0, < 6.0.7 | ≥ 5.3.0, < 5.3.26
- org.springframework•spring-webmvc
≥ 6.0.0, < 6.0.7 | ≥ 5.3.0, < 5.3.26
- Unknown•Spring Framework
≥ 5.3.0, < 5.3.26 | ≥ 6.0.0, < 6.0.7
References (6)
- https://spring.io/security/cve-2023-20860
- https://security.netapp.com/advisory/ntap-20230505-0006/
- https://nvd.nist.gov/vuln/detail/CVE-2023-20860
- https://github.com/spring-projects/spring-framework/commit/202fa5cdb3a3d0cfe6967e85fa167d978244f28a
- https://github.com/spring-projects/spring-framework
- https://security.netapp.com/advisory/ntap-20230505-0006