VMware Spring Framework 5.3.x < 5.3.26, 6.0.x < 6.0.7 Security Bypass Vulnerability - Windows

2023-03-2100:00:00

plugins.openvas.org

vmware spring framework

security bypass

vulnerability

windows

update

pattern matching

configuration

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.7%

JSON

The VMware Spring Framework is prone to a security bypass
vulnerability.

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later

CPE = "cpe:/a:vmware:spring_framework";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.104649");
  script_version("2023-10-13T05:06:10+0000");
  script_tag(name:"last_modification", value:"2023-10-13 05:06:10 +0000 (Fri, 13 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-03-21 12:09:06 +0000 (Tue, 21 Mar 2023)");
  script_tag(name:"cvss_base", value:"7.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-04-03 18:20:00 +0000 (Mon, 03 Apr 2023)");

  script_cve_id("CVE-2023-20860");

  script_name("VMware Spring Framework 5.3.x < 5.3.26, 6.0.x < 6.0.7 Security Bypass Vulnerability - Windows");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_vmware_spring_framework_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("vmware/spring/framework/detected", "Host/runs_windows");

  script_xref(name:"URL", value:"https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861");
  script_xref(name:"URL", value:"https://spring.io/security/cve-2023-20860");

  script_tag(name:"summary", value:"The VMware Spring Framework is prone to a security bypass
  vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Using '**' as a pattern in Spring Security configuration with
  the 'mvcRequestMatcher' creates a mismatch in pattern matching between Spring Security and Spring
  MVC, and the potential for a security bypass.");

  script_tag(name:"affected", value:"VMware Spring Framework versions 5.3.x prior to 5.3.26 and
  6.0.x prior to 6.0.7. Versions older than 5.3 are not affected.");

  script_tag(name:"solution", value:"Update to version 5.3.26, 6.0.7 or later.");

  script_tag(name:"qod_type", value:"executable_version");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if( isnull( port = get_app_port( cpe:CPE ) ) )
  exit( 0 );

if( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )
  exit( 0 );

version = infos["version"];
location = infos["location"];

if( version_in_range_exclusive( version:version, test_version_lo:"5.3.0", test_version_up:"5.3.26" ) ) {
  report = report_fixed_ver( installed_version:version, fixed_version:"5.3.26/6.0.7", install_path:location );
  security_message( port:port, data:report );
  exit( 0 );
}

if( version_in_range_exclusive( version:version, test_version_lo:"6.0.0", test_version_up:"6.0.7" ) ) {
  report = report_fixed_ver( installed_version:version, fixed_version:"6.0.7", install_path:location );
  security_message( port:port, data:report );
  exit( 0 );
}

exit( 99 );