CVE-2023-20860
Published Mar 27, 2023
Last updated 2 years ago
Overview
- Description
- Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
- Source
- security@vmware.com
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Severity
- HIGH
Weaknesses
- nvd@nist.gov
- NVD-CWE-noinfo
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9980B4D3-7C20-4812-9BE3-DDEE57228240",
"versionEndExcluding": "5.3.26",
"versionStartIncluding": "5.3.0"
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8E40A602-3481-4DE3-9FE0-484E6368E291",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "6.0.0"
}
],
"operator": "OR"
}
]
}
]