Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using “**” as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
[
{
"vendor": "n/a",
"product": "Spring Framework",
"versions": [
{
"version": "Spring Framework (versions 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25)",
"status": "affected"
}
]
}
]