What is CVE-2023-20860?

CVE-2023-20860 is a vulnerability in Spring Framework. Published 2023-03-27.

Is CVE-2023-20860 known to be exploited?

32 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Spring Framework

CVE-2023-20860

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the pot…

EPSS: 0.563 (98.2th percentile) — read the EPSS interpretation.

Affected products

N/a Spring Framework — versions Spring Framework (versions 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25)

Public proof-of-concept exploits

limo520/CVE-2023-20860
ARPSyndicate/cvemon
Agilevatester/SpringSecurity
Agilevatester/SpringSecurityV1
DrC0okie/HEIG_
Dzmitry-Basiachenka/dist-foreign-aliakh
J1ezds/Vulnerability-Wiki-page
Threekiii/Awesome-POC
Threekiii/CVE
XiaomingX/JSEF

References

spring.io/security/cve-2023-20860
security.netapp.com/advisory/ntap-20230505-0006/

Frequently asked questions

What is CVE-2023-20860?: CVE-2023-20860 is a vulnerability in Spring Framework. Published 2023-03-27.
Is CVE-2023-20860 known to be exploited?: 32 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.