Spring Framework 5.3/6.0 (6.0.6) '**' Pattern Bypass in Security Config
CVE-2023-20860 Published on March 27, 2023

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

NVD

Vulnerability Analysis

CVE-2023-20860 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

HIGH

Availability Impact:

NONE

Products Associated with CVE-2023-20860

Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.

VMware Spring Framework

Exploit Probability

EPSS

53.88%

Percentile

97.97%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Spring Framework 5.3/6.0 (6.0.6) '**' Pattern Bypass in Security ConfigCVE-2023-20860 Published on March 27, 2023

Vulnerability Analysis

Products Associated with CVE-2023-20860

Exploit Probability

Spring Framework 5.3/6.0 (6.0.6) '**' Pattern Bypass in Security Config
CVE-2023-20860 Published on March 27, 2023