CVE-2023-20860: High severity vulnerability in Spring Framework

by do son · Published · Updated

The Spring Framework is the backbone of countless Java enterprise applications. Its versatile nature accommodates the Java language in various enterprise settings while offering support for Groovy and Kotlin as alternative languages on the Java Virtual Machine (JVM). Consequently, the framework allows for the creation of diverse architectures tailored to the unique requirements of each application.

In an ongoing effort to maintain robust security, the Spring Framework has recently addressed two vulnerabilities—CVE-2023-20860 and CVE-2023-20861—in versions 6.0.7 and 5.3.26.

CVE-2023-20860

CVE-2023-20860: Security Bypass With Un-Prefixed Double Wildcard Pattern

This vulnerability, which carries a Common Vulnerability Scoring System (CVSS) score of 8.8, involves a security bypass that could occur when using an un-prefixed double wildcard pattern (“**”) in the Spring Security configuration with the mvcRequestMatcher. This configuration creates a pattern matching discrepancy between Spring Security and Spring MVC, potentially allowing unauthorized access.

The issue affects Spring Framework versions 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25. Older versions prior to 5.3 remain unaffected. To mitigate the risk, developers should update to Spring Framework version 6.0.7+ or 5.3.26+. The vulnerability was discovered internally.

CVE-2023-20861: Spring Expression DoS Vulnerability

This vulnerability, with a CVSS score of 5.3, pertains to a Spring Expression (SpEL) denial-of-service (DoS) vulnerability. In Spring Framework versions 6.0.0 to 6.0.6, 5.3.0 to 5.3.25, 5.2.0.RELEASE to 5.2.22.RELEASE, and older unsupported versions, a user could craft a malicious SpEL expression resulting in a DoS condition.

To mitigate this vulnerability, users of affected versions should update as follows:

  • 6.0.x users should upgrade to 6.0.7+
  • 5.3.x users should upgrade to 5.3.26+
  • 5.2.x users should upgrade to 5.2.23.RELEASE+

Users of older, unsupported versions should update to 6.0.7+ or 5.3.26+. No additional steps are necessary. The Google OSS-Fuzz team from Code Intelligence initially discovered and responsibly reported this vulnerability.

Stay Secure with Spring Framework Updates

By updating your Spring Framework to the latest version, you can protect your enterprise from these potentially damaging vulnerabilities.

Tags: CVE-2023-20860CVE-2023-20861Spring Framework