Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-20860

Опубликовано: 20 мар. 2023
Источник: redhat
CVSS3: 7.5
EPSS Средний

Описание

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2springframeworkNot affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/elasticsearch6-rhel8Not affected
Migration Toolkit for Applications 6org.keycloak-keycloak-parentNot affected
Migration Toolkit for Runtimesorg.keycloak-keycloak-parentNot affected
Red Hat Data Grid 8springframeworkNot affected
Red Hat Enterprise Linux 8log4j:2/log4jNot affected
Red Hat Enterprise Linux 9log4jNot affected
Red Hat Integration Camel K 1springframeworkNot affected
Red Hat Integration Camel Quarkus 1springframeworkNot affected
Red Hat JBoss Data Grid 7springframeworkOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-155
https://bugzilla.redhat.com/show_bug.cgi?id=2180528springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

EPSS

Процентиль: 98%
0.63306
Средний

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-20860

CVSS3: 7.5
ubuntu
больше 2 лет назад

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

nvd логотип

CVE-2023-20860

CVSS3: 7.5
nvd
больше 2 лет назад

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

debian логотип

CVE-2023-20860

CVSS3: 7.5
debian
больше 2 лет назад

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using ...

github логотип

GHSA-7phw-cxx7-q9vq

CVSS3: 9.1
github
больше 2 лет назад

Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch

fstec логотип

BDU:2023-02018

CVSS3: 7.5
fstec
больше 2 лет назад

Уязвимость компонента mvcRequestMatche Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, позволяющая нарушителю оказать воздействие на целостность защищаемой информации

EPSS

Процентиль: 98%
0.63306
Средний

7.5 High

CVSS3