Improper Neutralization of Wildcards or Matching Symbols in org.springframework:spring-webmvc

CVE-2023-20860

org.springframework:spring-webmvc

High

7.5/10

Summary

Spring Framework running in version 5.3.0 through 5.3.25, and 6.0.0 through 6.0.6 using "**" as a pattern in Spring Security configuration with the 'mvcRequestMatcher' creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-155 - Improper Neutralization of Wildcards or Matching Symbols

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.

References

Advisory
Advisory
Issue
Release Note

Advisory Timeline

Published Mar 27, 2023

Improper Neutralization of Wildcards or Matching Symbols in org.springframework:spring-webmvc

CVE-2023-20860

Summary

CWE-155 - Improper Neutralization of Wildcards or Matching Symbols

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS