Critical severityNVD Advisory· Published Mar 27, 2023· Updated Feb 19, 2025
CVE-2023-20860
CVE-2023-20860
Description
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:springMaven | >= 6.0.0, < 6.0.7 | 6.0.7 |
org.springframework:springMaven | >= 5.3.0, < 5.3.26 | 5.3.26 |
org.springframework:spring-webmvcMaven | >= 6.0.0, < 6.0.7 | 6.0.7 |
org.springframework:spring-webmvcMaven | >= 5.3.0, < 5.3.26 | 5.3.26 |
Affected products
3- Spring Framework/Spring Frameworkdescription
- ghsa-coords2 versions
>= 6.0.0, < 6.0.7+ 1 more
- (no CPE)range: >= 6.0.0, < 6.0.7
- (no CPE)range: >= 6.0.0, < 6.0.7
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-7phw-cxx7-q9vqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-20860ghsaADVISORY
- github.com/spring-projects/spring-framework/commit/202fa5cdb3a3d0cfe6967e85fa167d978244f28aghsaWEB
- security.netapp.com/advisory/ntap-20230505-0006ghsaWEB
- spring.io/security/cve-2023-20860ghsaWEB
- security.netapp.com/advisory/ntap-20230505-0006/mitre
News mentions
0No linked articles in our index yet.