Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreSeverity is high unless otherwise noted.
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5 and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String)
or requestMatchers(HttpMethod, String)
and multiple servlets, one of them being Spring MVC’s DispatcherServlet.
(DispatcherServlet
is a Spring MVC component that maps HTTP endpoints to methods on @Controller
-annotated classes.)
Specifically, an application is vulnerable when all of the following are true:
DispatcherServlet
)requestMatchers(String)
or requestMatchers(HttpMethod, String)
An application is not vulnerable if any of the following is true:
DispatcherServlet
requestMatchers(String)
or requestMatchers(HttpMethod, String)
Users of affected versions should apply the following mitigations.
First:
Second, if you are using multiple servlets and one of them is Spring MVC’s DispatcherServlet
, you may see the following error message at startup time:
This method cannot decide whether these patterns are Spring MVC patterns or not.
If this endpoint is a Spring MVC endpoint, please use `requestMatchers(MvcRequestMatcher)`;
otherwise, please use `requestMatchers(AntPathRequestMatcher)`.
Sometimes these extra servlets are not needed. For example, some servlet containers will add a DefaultServlet
that DispatcherServlet
effectively replaces. In many cases, such a servlet can be removed from your container's global configuration.
If the extra servlets are not needed, please try and remove them and see if the error persists. If it does, please follow the instructions in the error message.
For several examples of how to address the error message, please see the following mitigation repo.
This issue was identified and responsibly reported by senior software engineer Mouad Kondah from Kudelski Security.
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy