How the '**' Pattern in Spring Security Can Bypass MVC Matching (CVE‑2023‑20860) and How to Fix It
CVE‑2023‑20860 reveals that using the '**' pattern with Spring Security’s mvcRequestMatcher can cause mismatched routing and a potential security bypass, and the advisory details affected Spring Framework versions, mitigation steps, and how to upgrade via Gradle or Maven.
Description
CVE-2023-20860: Using "**" as a pattern in Spring Security together with mvcRequestMatcher can cause a mismatch between Spring Security and Spring MVC pattern matching, potentially leading to a security bypass. Spring Framework 6.0.7 and 5.3.26 contain the fix.
Affected Spring Products and Versions
Spring Framework versions:
6.0.0 to 6.0.6
5.3.0 to 5.3.25
Earlier versions are not affected
Mitigation
The following Spring Framework versions include the fix for this vulnerability:
6.0.7+
5.3.26+
Credits
The vulnerability was discovered internally.
References
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:N&version=3.1
History
2023-03-20: Initial vulnerability report published.
Spring Boot
Use the secure versions Spring Boot 3.0.5 and Spring Boot 2.7.10, which include the patched Spring Framework. You can also manually specify the Spring Framework version.
Configure the version in Gradle's build.gradle:
<code>ext['spring-framework.version'] = '6.0.7'</code>Or configure the version in Maven's pom.xml:
<code><properties>
<spring-framework.version>6.0.7</spring-framework.version>
</properties>
</code>Java Architecture Diary
Committed to sharing original, high‑quality technical articles; no fluff or promotional content.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.