Description

Using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Affected Spring Products and Versions

Spring Framework:
- 6.0.0 to 6.0.6
- 5.3.0 to 5.3.25
- Versions older than 5.3 are not affected

Mitigation

The following Spring Framework versions contain fixes for this vulnerability:

6.0.7+
5.3.26+

Credit

This vulnerability was discovered internally.

References

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:N&version=3.1

History

2023-03-20: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all

Spring Security Advisories

CVE-2023-20860: Security Bypass With Un-Prefixed Double Wildcard Pattern