CVE-2023-20860
Security Bypass vulnerability in spring (Maven)
What is CVE-2023-20860 About?
This vulnerability is a security bypass in Spring Framework versions 6.0.0-6.0.6 or 5.3.0-5.3.25 when using '**' as a pattern in Spring Security configuration with `mvcRequestMatcher`. It creates a mismatch in pattern matching between Spring Security and Spring MVC, allowing attackers to access protected resources. Exploitation is plausible given the right configuration.
Affected Software
- org.springframework:spring
- >6.0.0, <6.0.7
- >5.3.0, <5.3.26
- org.springframework:spring-webmvc
- >6.0.0, <6.0.7
- >5.3.0, <5.3.26
Technical Details
The security bypass vulnerability in Spring Framework arises from a mismatch in how Spring Security and Spring MVC interpret pattern matching when the mvcRequestMatcher is configured with the wildcard pattern ''. Spring Security might interpret '' broadly, while Spring MVC's request matching mechanism (especially for path parameters or suffixes) could be more lenient or apply canonicalization that Spring Security does not recognize. This discrepancy means that a carefully crafted URL, though intended to be protected by Spring Security, might be routed by Spring MVC to a controller that Spring Security did not protect, effectively bypassing security controls. An attacker can exploit this by constructing URLs that hit the unprotected path as seen by Spring MVC.
What is the Impact of CVE-2023-20860?
Successful exploitation may allow attackers to bypass security configuration and gain unauthorized access to protected application resources.
What is the Exploitability of CVE-2023-20860?
Exploitation requires moderate complexity and specific prerequisites: the application must be running a vulnerable Spring Framework version, utilize Spring Security, and configure mvcRequestMatcher with the '**' pattern. No specific authentication is required to attempt the bypass if the targeted resource is meant to be protected from unauthenticated users. Privilege requirements are low, as the goal is to bypass existing security. It is typically a remote vulnerability. The likelihood of exploitation is heightened if developers rely solely on general wildcard patterns without understanding the potential differences in path matching interpretation between Spring Security and Spring MVC.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| limo520 | Link | PoC for CVE-2023-20860 |
What are the Available Fixes for CVE-2023-20860?
Available Upgrade Options
- org.springframework:spring
- >5.3.0, <5.3.26 → Upgrade to 5.3.26
- org.springframework:spring
- >6.0.0, <6.0.7 → Upgrade to 6.0.7
- org.springframework:spring-webmvc
- >5.3.0, <5.3.26 → Upgrade to 5.3.26
- org.springframework:spring-webmvc
- >6.0.0, <6.0.7 → Upgrade to 6.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://spring.io/security/cve-2023-20860
- https://github.com/spring-projects/spring-framework
- https://security.netapp.com/advisory/ntap-20230505-0006/
- https://security.netapp.com/advisory/ntap-20230505-0006
- https://spring.io/security/cve-2023-20860
- https://osv.dev/vulnerability/GHSA-7phw-cxx7-q9vq
- https://nvd.nist.gov/vuln/detail/CVE-2023-20860
- https://github.com/spring-projects/spring-framework/commit/202fa5cdb3a3d0cfe6967e85fa167d978244f28a
What are Similar Vulnerabilities to CVE-2023-20860?
Similar Vulnerabilities: CVE-2020-5407 , CVE-2020-5410 , CVE-2020-5421 , CVE-2023-34035 , CVE-2021-22967
