Fluid Attacks Database

Description

Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework:spring	>=6.0.0 <6.0.7 \|\| >=5.3.0 <5.3.26	6.0.7, 5.3.26
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-webmvc	>=6.0.0 <6.0.7 \|\| >=5.3.0 <5.3.26	6.0.7, 5.3.26

Aliases

1. CVE-2023-208602. NVD-2023-208603. OSV-2023-208604. OSV-DEBIAN-2023-208605. GCVE-2023-208606. SECURITY-TRACKER-CVE-2023-20860

References

1. https://github.com/spring-projects/spring-framework/commit/202fa5cdb3a3d0cfe6967e85fa167d978244f28a2. https://security.netapp.com/advisory/ntap-20230505-00063. https://spring.io/security/cve-2023-208604. https://github.com/limo520/CVE-2023-20860

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.