CVE-2023-20860
First published: Mon Mar 20 2023(Updated: )
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
Credit: security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <0:2.401.1.1686831596-3.el8 | 0:2.401.1.1686831596-3.el8 |
| redhat/jenkins | <0:2.401.1.1686649641-3.el8 | 0:2.401.1.1686649641-3.el8 |
| redhat/jenkins | <0:2.401.1.1686680404-3.el8 | 0:2.401.1.1686680404-3.el8 |
| redhat/jenkins | <0:2.401.1.1685677065-1.el8 | 0:2.401.1.1685677065-1.el8 |
| redhat/ovirt-dependencies | <0:4.5.3-1.el8e | 0:4.5.3-1.el8e |
| VMware Spring Framework | >=5.3.0<5.3.26 | |
| VMware Spring Framework | >=6.0.0<6.0.7 | |
| redhat/springframework | <6.0.7 | 6.0.7 |
| redhat/springframework | <5.3.26 | 5.3.26 |
| maven/org.springframework:spring | >=5.3.0<5.3.26 | 5.3.26 |
| maven/org.springframework:spring | >=6.0.0<6.0.7 | 6.0.7 |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF004 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF020 | |
| IBM Cloud Pak for Business Automation | <=V22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2023-20860 https://nvd.nist.gov/vuln/detail/CVE-2023-20860 https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861
- https://bugzilla.redhat.com/show_bug.cgi?id=2180528
- https://access.redhat.com/errata/RHSA-2023:3663
- https://access.redhat.com/errata/RHSA-2023:3610
- https://access.redhat.com/errata/RHSA-2023:3622
- https://access.redhat.com/errata/RHSA-2023:3185
- https://access.redhat.com/errata/RHSA-2023:3954
- https://access.redhat.com/errata/RHSA-2023:3625
- https://access.redhat.com/errata/RHSA-2023:3771
- https://access.redhat.com/errata/RHSA-2023:2100
- https://access.redhat.com/errata/RHSA-2023:4983
- https://access.redhat.com/errata/RHSA-2023:4612
- https://access.redhat.com/security/cve/cve-2023-20860
- https://security.netapp.com/advisory/ntap-20230505-0006/
- https://spring.io/security/cve-2023-20860
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2180531
- https://nvd.nist.gov/vuln/detail/CVE-2023-20860
- https://github.com/spring-projects/spring-framework/commit/202fa5cdb3a3d0cfe6967e85fa167d978244f28a
- https://security.netapp.com/advisory/ntap-20230505-0006
- https://github.com/advisories/GHSA-7phw-cxx7-q9vq (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/250679
- https://www.ibm.com/support/pages/node/6998727 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-20860?
CVE-2023-20860 is a vulnerability in Spring Framework that allows for a security bypass.
How does CVE-2023-20860 occur?
CVE-2023-20860 occurs when using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher, which creates a mismatch in pattern matching between Spring Security and Spring MVC.
Which versions of Spring Framework are affected by CVE-2023-20860?
Spring Framework versions 6.0.0 - 6.0.6 and 5.3.0 - 5.3.25 are affected by CVE-2023-20860.
How can I fix CVE-2023-20860?
To fix CVE-2023-20860, update your Spring Framework to version 6.0.7 or 5.3.26, depending on the version you are currently using.
Where can I find more information about CVE-2023-20860?
You can find more information about CVE-2023-20860 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-20860), [Spring Security](https://spring.io/security/cve-2023-20860), [NetApp](https://security.netapp.com/advisory/ntap-20230505-0006/).
- collector/redhat-cve
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-20860
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7phw-cxx7-q9vq
- agent/references
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/vmware
- canonical/vmware spring framework
- version/vmware spring framework/5.3.0
- version/vmware spring framework/6.0.0
- package-manager/maven
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if004
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if020
- version/ibm cloud pak for business automation/v22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes