Summary & Key Actions Required
At present we are continuing to analyze CVE-2023-20860 which currently has a CVSS score of 9.1 and impacts the software component org.springframework:spring-webmvc. We will update this article if any more information becomes available and will highlight if our recommendations or plans change.
At this time, there is no action for Avantra customers to take as Avantra does not use the configuration that is needed for this exploit to be a concern. Avantra will, as part of normal practices, update to the latest version of this component (5.3.26) during the next release cycle over the coming weeks.
Related security articles:
- https://spring.io/security/cve-2023-20860
- https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-20860
- Avantra Hardening Guide
CVE-2023-20860 Summary
Please see this article for more information: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-20860
Using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
Impact to Avantra
After detailed analysis by our development teams, it has been confirmed that Avantra does not use the affected component configuration and so is not vulnerable to this potential security bypass.
Impact on our customers
No action is required at this time.
Change Log
| 28th Mar '23 @ 1200 CET | Initial Notice Published |
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.