CVE-2023-20873: Spring Boot Wildcard Security Bypass

In today’s fast-paced technology landscape, security vulnerabilities can have disastrous consequences for businesses and organizations. Spring Boot helps you to create Spring-powered, production-grade applications, and services with absolute minimum fuss. It takes an opinionated view of the Spring platform so that new and existing users can quickly get to the bits they need. A new high-severity security bypass vulnerability, CVE-2023-20873, has been identified in Spring Boot.

The Wildcard Pattern Matching Vulnerability in Spring Boot

CVE-2023-20873 affects multiple versions of Spring Boot, specifically 3.0.0 – 3.0.5, 2.7.0 – 2.7.10, and older unsupported versions. When deployed to Cloud Foundry, applications may be susceptible to a security bypass that leverages wildcard pattern matching.

This vulnerability is particularly concerning for applications with code that can handle requests matching the /cloudfoundryapplication/** pattern, often found in catch-all request mappings matching /. Notably, applications using Spring Cloud Config Server are at heightened risk, as they handle requests to /cloudfoundryapplication/** by default and can be vulnerable if deployed to Cloud Foundry.

Is Your Application Vulnerable?

An application is considered vulnerable if all the following conditions are met:

1. The application is deployed to Cloud Foundry.
2. The application has code that can handle requests matching /cloudfoundryapplication/**.
3. Cloud Foundry actuator endpoints have not been disabled with management.cloudfoundry.enabled set to false.

On the other hand, applications are not vulnerable if they:

1. Are not deployed to Cloud Foundry.
2. Have disabled Cloud Foundry actuator endpoints with management.cloudfoundry.enabled set to false.
3. Do not have handler mappings that can handle requests to /cloudfoundryapplication/**.

Mitigation Steps

To mitigate the risk associated with CVE-2023-20873, users of affected Spring Boot versions should take the following actions:

1. Users of Spring Boot 3.0.x should upgrade to version 3.0.6 or later.
2. Users of Spring Boot 2.7.x should upgrade to version 2.7.11 or later.
3. Users of older, unsupported versions should upgrade to either 3.0.6+ or 2.7.11+.

Workarounds

In addition to upgrading, users can disable Cloud Foundry actuator endpoints by setting management.cloudfoundry.enabled to false. This workaround can help protect applications until the upgrade can be performed.