CVE-2023-20860

State: PUBLISHED · Published: 2023-03-27 · Updated: 2025-02-19 · Assigner: vmware

Description

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

CWE

(none)

Affected

n/a / Spring Framework — v=Spring Framework (versions 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25) [affected]

CVSS

(none)

References

https://spring.io/security/cve-2023-20860
https://security.netapp.com/advisory/ntap-20230505-0006/

Source

cvelistV5-main/cves/2023/20xxx/CVE-2023-20860.json