What is CVE-2023-20860?

CVE-2023-20860 is a vulnerability in Spring Framework that allows for a security bypass.

How does CVE-2023-20860 occur?

CVE-2023-20860 occurs when using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher, which creates a mismatch in pattern matching between Spring Security and Spring MVC.

Which versions of Spring Framework are affected by CVE-2023-20860?

Spring Framework versions 6.0.0 - 6.0.6 and 5.3.0 - 5.3.25 are affected by CVE-2023-20860.

How can I fix CVE-2023-20860?

To fix CVE-2023-20860, update your Spring Framework to version 6.0.7 or 5.3.26, depending on the version you are currently using.

Where can I find more information about CVE-2023-20860?

You can find more information about CVE-2023-20860 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-20860), [Spring Security](https://spring.io/security/cve-2023-20860), [NetApp](https://security.netapp.com/advisory/ntap-20230505-0006/).

Vulnerability/
CVE-2023-20860

critical

9.1

CWE

155

20/3/2023

28/3/2023

14/3/2024

CVE-2023-20860

First published: Mon Mar 20 2023(Updated: )

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Credit: security@vmware.com security@vmware.com

Affected Software	Affected Version	How to fix
maven/org.springframework:spring	>=5.3.0<5.3.26	5.3.26
maven/org.springframework:spring	>=6.0.0<6.0.7	6.0.7
redhat/jenkins	<0:2.401.1.1686831596-3.el8	0:2.401.1.1686831596-3.el8
redhat/jenkins	<0:2.401.1.1686649641-3.el8	0:2.401.1.1686649641-3.el8
redhat/jenkins	<0:2.401.1.1686680404-3.el8	0:2.401.1.1686680404-3.el8
redhat/jenkins	<0:2.401.1.1685677065-1.el8	0:2.401.1.1685677065-1.el8
redhat/ovirt-dependencies	<0:4.5.3-1.el8e	0:4.5.3-1.el8e
VMware Spring Framework	>=5.3.0<5.3.26
VMware Spring Framework	>=6.0.0<6.0.7
IBM Watson Knowledge Catalog on-prem	<=4.x
redhat/springframework	<6.0.7	6.0.7
redhat/springframework	<5.3.26	5.3.26
	>=5.3.0<5.3.26
	>=6.0.0<6.0.7

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2023-20860?
CVE-2023-20860 is a vulnerability in Spring Framework that allows for a security bypass.
How does CVE-2023-20860 occur?
CVE-2023-20860 occurs when using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher, which creates a mismatch in pattern matching between Spring Security and Spring MVC.
Which versions of Spring Framework are affected by CVE-2023-20860?
Spring Framework versions 6.0.0 - 6.0.6 and 5.3.0 - 5.3.25 are affected by CVE-2023-20860.
How can I fix CVE-2023-20860?
To fix CVE-2023-20860, update your Spring Framework to version 6.0.7 or 5.3.26, depending on the version you are currently using.
Where can I find more information about CVE-2023-20860?
You can find more information about CVE-2023-20860 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-20860), [Spring Security](https://spring.io/security/cve-2023-20860), [NetApp](https://security.netapp.com/advisory/ntap-20230505-0006/).

collector/redhat-cve
collector/nvd-index
collector/ibm-support
agent/author
agent/type
agent/first-publish-date
agent/severity
agent/weakness
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-20860
agent/software-canonical-lookup
collector/github-advisory-latest
source/GitHub
alias/GHSA-7phw-cxx7-q9vq
agent/last-modified-date
agent/references
agent/softwarecombine
agent/tags
agent/event
collector/nvd-cve
source/NVD
collector/github-advisory
package-manager/redhat
vendor/vmware
canonical/vmware spring framework
version/vmware spring framework/5.3.0
version/vmware spring framework/6.0.0
vendor/ibm
canonical/ibm watson knowledge catalog on-prem
version/ibm watson knowledge catalog on-prem/4.x
package-manager/maven