Summary & Key Actions Required

At present we are continuing to analyze CVE-2023-20860 which currently has a CVSS score of 9.1 and impacts the software component org.springframework:spring-webmvc. We will update this article if any more information becomes available and will highlight if our recommendations or plans change.

At this time, there is no action for Avantra customers to take as Avantra does not use the configuration that is needed for this exploit to be a concern. Avantra will, as part of normal practices, update to the latest version of this component (5.3.26) during the next release cycle over the coming weeks.

Related security articles:

CVE-2023-20860 Summary

Please see this article for more information:

Using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Impact to Avantra

After detailed analysis by our development teams, it has been confirmed that Avantra does not use the affected component configuration and so is not vulnerable to this potential security bypass.

Impact on our customers

No action is required at this time.

Change Log

28th Mar '23 @ 1200 CETInitial Notice Published

We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.