Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch

2023-03-2800:34:28

Google

osv.dev

spring framework

security bypass

version 5.3.0 - 5.3.25

version 6.0.0 - 6.0.6

mvcrequestmatcher

pattern mismatch

spring security configuration

spring mvc

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

36.7%

JSON

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using “**” as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

CPENameOperatorVersion
org.springframework:springeq5.3.10
org.springframework:springeq5.3.9
org.springframework:springeq5.3.6
org.springframework:springeq5.3.20
org.springframework:springeq5.3.22
org.springframework:springeq5.3.3
org.springframework:springeq5.3.21
org.springframework:springeq5.3.19
org.springframework:springeq5.3.4
org.springframework:springeq5.3.5

Name	Operator	Version
org.springframework:spring	eq	5.3.10
org.springframework:spring	eq	5.3.9
org.springframework:spring	eq	5.3.6
org.springframework:spring	eq	5.3.20
org.springframework:spring	eq	5.3.22
org.springframework:spring	eq	5.3.3
org.springframework:spring	eq	5.3.21
org.springframework:spring	eq	5.3.19
org.springframework:spring	eq	5.3.4
org.springframework:spring	eq	5.3.5