CVE-2023-20860: Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch

March 28, 2023 (updated June 16, 2023)

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using “**” as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

References

github.com/advisories/GHSA-7phw-cxx7-q9vq
github.com/spring-projects/spring-framework/commit/202fa5cdb3a3d0cfe6967e85fa167d978244f28a
nvd.nist.gov/vuln/detail/CVE-2023-20860
spring.io/security/cve-2023-20860

Detect and mitigate CVE-2023-20860 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →