CVE-2023-20860 is a high-severity vulnerability affecting VMware's Spring Framework versions 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25. This vulnerability allows for a security bypass due to incorrect pattern matching when using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher. Consequently, the mismatch between Spring Security and Spring MVC could lead to unauthorized access in certain scenarios.
The vulnerability has been assigned a CVSS score of 7.5, indicating a high severity level. The attack vector is network-based, with a low complexity requirement, meaning that attackers with no privileges and no user interaction can exploit this vulnerability. Organizations utilizing the affected versions of the Spring Framework should take immediate action.
Risk to organizations includes potential unauthorized access to sensitive data or functionalities, which could compromise application integrity. Given its exploitation status, organizations should prioritize patching immediately to mitigate the risk.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)