Cyber Resilience

CVE-2023-20860

High

Published: 27 March 2023

Published
27 March 2023
Modified
19 February 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.6384 98.4th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20860 is a high-severity an unspecified weakness vulnerability in Vmware Spring Framework. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-20860 affects Spring Framework versions 6.0.0 through 6.0.6 and 5.3.0 through 5.3.25. The flaw arises when the double-wildcard pattern "**" is used in Spring Security configuration together with mvcRequestMatcher, producing inconsistent pattern evaluation between Spring Security and Spring MVC that can result in a security bypass.

An unauthenticated network attacker can exploit the mismatch to circumvent intended access controls, achieving high-integrity impact without requiring user interaction or elevated privileges. The CVSS 7.5 vector reflects remote exploitability with no confidentiality or availability consequences.

Spring and NetApp advisories reference the issue and direct users to updated Spring Framework releases that correct the pattern-matching behavior. The associated EPSS score stands at 0.6384 with no reported change trajectory.

EU & UK References

Vulnerability details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a…

more

security bypass.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
spring framework
5.3.0 — 5.3.26 · 6.0.0 — 6.0.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References