VMware offers training and certification to turbo-charge your progress.Learn more
Severity is high unless otherwise noted.
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5 and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses
requestMatchers(HttpMethod, String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet.
DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on
Specifically, an application is vulnerable when all of the following are true:
An application is not vulnerable if any of the following is true:
Users of affected versions should apply the following mitigations.
Second, if you are using multiple servlets and one of them is Spring MVC’s
DispatcherServlet, you may see the following error message at startup time:
This method cannot decide whether these patterns are Spring MVC patterns or not.
If this endpoint is a Spring MVC endpoint, please use `requestMatchers(MvcRequestMatcher)`;
otherwise, please use `requestMatchers(AntPathRequestMatcher)`.
Sometimes these extra servlets are not needed. For example, some servlet containers will add a
DispatcherServlet effectively replaces. In many cases, such a servlet can be removed from your container's global configuration.
If the extra servlets are not needed, please try and remove them and see if the error persists. If it does, please follow the instructions in the error message.
For several examples of how to address the error message, please see the following mitigation repo.
This issue was identified and responsibly reported by senior software engineer Mouad Kondah from Kudelski Security.