Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-20860

CVE-2023-20860: Spring Framework Auth Bypass Vulnerability

CVE-2023-20860 is an authentication bypass flaw in VMware Spring Framework affecting versions 6.0.0-6.0.6 and 5.3.0-5.3.25. This vulnerability enables security bypass through pattern matching issues. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2023-20860 Overview

CVE-2023-20860 is a security bypass vulnerability affecting VMware Spring Framework versions 6.0.0 through 6.0.6 and 5.3.0 through 5.3.25. The vulnerability arises when using ** as a pattern in Spring Security configuration with the mvcRequestMatcher, which creates a mismatch in pattern matching behavior between Spring Security and Spring MVC. This discrepancy can allow attackers to bypass security controls and access protected resources.

Critical Impact

Attackers can bypass Spring Security access controls due to pattern matching inconsistencies, potentially gaining unauthorized access to protected endpoints and sensitive resources.

Affected Products

  • VMware Spring Framework versions 6.0.0 - 6.0.6
  • VMware Spring Framework versions 5.3.0 - 5.3.25
  • Applications using mvcRequestMatcher with ** wildcard patterns

Discovery Timeline

  • 2023-03-27 - CVE-2023-20860 published to NVD
  • 2025-02-19 - Last updated in NVD database

Technical Details for CVE-2023-20860

Vulnerability Analysis

This Authorization Bypass vulnerability stems from inconsistent URL pattern matching between Spring Security and Spring MVC components. When developers configure Spring Security using the mvcRequestMatcher with double-asterisk (**) wildcard patterns, a fundamental mismatch occurs in how these two frameworks interpret and process the patterns.

Spring MVC and Spring Security have subtly different interpretations of wildcard patterns, particularly the ** pattern which is intended to match any path segments. This discrepancy means that URLs which Spring Security allows through may be handled differently by Spring MVC, or vice versa. The result is that carefully crafted requests can slip through security checks while still being routed to protected controller endpoints.

The vulnerability has a network attack vector with low complexity, requiring no privileges or user interaction to exploit. It primarily impacts integrity by allowing unauthorized access to protected resources, though confidentiality and availability are not directly affected according to the CVSS assessment.

Root Cause

The root cause lies in the architectural differences between how Spring Security's mvcRequestMatcher and Spring MVC's request mapping interpret path patterns. When ** is used as a pattern, Spring Security may evaluate the pattern differently than Spring MVC's handler mapping mechanism. This creates a security gap where:

  1. Spring Security evaluates a request path against the ** pattern
  2. The evaluation result differs from how Spring MVC would route that same request
  3. Attackers can exploit this gap to access endpoints that should be protected

Attack Vector

The attack vector is network-based, allowing remote exploitation without authentication. An attacker can craft HTTP requests with specific URL patterns that:

  1. Pass through Spring Security's pattern matching due to the ** wildcard interpretation
  2. Get routed to protected Spring MVC controllers that should require authorization
  3. Execute operations on resources the attacker should not have access to

The exploitation does not require special privileges or user interaction, making it relatively straightforward for attackers to exploit once they identify an application using vulnerable Spring Security configurations with mvcRequestMatcher and ** patterns.

Detection Methods for CVE-2023-20860

Indicators of Compromise

  • Unexpected access to protected endpoints in application logs without proper authentication or authorization headers
  • HTTP requests with unusual path patterns attempting to reach secured resources
  • Access log entries showing successful requests to protected URLs from unauthenticated sessions
  • Anomalous request patterns targeting MVC endpoints with path variations

Detection Strategies

  • Review application security configurations for use of mvcRequestMatcher with ** patterns in Spring Security
  • Audit access logs for successful requests to protected endpoints that lack proper authorization tokens
  • Implement Web Application Firewall (WAF) rules to detect and alert on path traversal patterns targeting Spring applications
  • Deploy runtime application security monitoring to detect authorization bypass attempts

Monitoring Recommendations

  • Enable detailed logging for Spring Security authentication and authorization events
  • Monitor for spikes in 200 OK responses to endpoints that should typically require authentication
  • Set up alerts for access patterns that bypass expected authentication flows
  • Implement centralized log analysis to correlate access attempts across application instances

How to Mitigate CVE-2023-20860

Immediate Actions Required

  • Upgrade Spring Framework to version 6.0.7 or later for the 6.x branch, or version 5.3.26 or later for the 5.3.x branch
  • Audit all Spring Security configurations using mvcRequestMatcher with ** patterns
  • Consider temporarily replacing ** patterns with more specific path patterns until upgrade is complete
  • Review and restrict access to sensitive endpoints using additional security controls

Patch Information

VMware has released patched versions of Spring Framework that address this pattern matching mismatch. Organizations should upgrade to the following versions:

  • Spring Framework 6.x: Upgrade to version 6.0.7 or later
  • Spring Framework 5.3.x: Upgrade to version 5.3.26 or later

For detailed patch information and guidance, refer to the Spring Security Advisory for CVE-2023-20860. Additional vendor advisories are available from NetApp Security Advisory.

Workarounds

  • Replace ** wildcard patterns with more explicit, specific path patterns in Spring Security configuration
  • Use antMatcher instead of mvcRequestMatcher where possible, as pattern matching behavior differs
  • Implement defense-in-depth by adding method-level security annotations (@PreAuthorize, @Secured) on controllers
  • Deploy a reverse proxy or WAF to enforce additional URL-based access controls at the network perimeter
bash
# Verify Spring Framework version in Maven project
mvn dependency:tree | grep spring-framework

# Check for vulnerable configurations in codebase
grep -r "mvcRequestMatcher" --include="*.java" .
grep -r '"\*\*"' --include="*.java" . | grep -i security

# Update Spring Framework dependency in pom.xml to patched version
# For Spring Framework 6.x:
# <spring.version>6.0.7</spring.version>
# For Spring Framework 5.3.x:
# <spring.version>5.3.26</spring.version>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne