CVE-2023-20860
Published: 27 March 2023
Summary
CVE-2023-20860 is a high-severity an unspecified weakness vulnerability in Vmware Spring Framework. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-20860 affects Spring Framework versions 6.0.0 through 6.0.6 and 5.3.0 through 5.3.25. The flaw arises when the double-wildcard pattern "**" is used in Spring Security configuration together with mvcRequestMatcher, producing inconsistent pattern evaluation between Spring Security and Spring MVC that can result in a security bypass.
An unauthenticated network attacker can exploit the mismatch to circumvent intended access controls, achieving high-integrity impact without requiring user interaction or elevated privileges. The CVSS 7.5 vector reflects remote exploitability with no confidentiality or availability consequences.
Spring and NetApp advisories reference the issue and direct users to updated Spring Framework releases that correct the pattern-matching behavior. The associated EPSS score stands at 0.6384 with no reported change trajectory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0927
Vulnerability details
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a…
more
security bypass.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.