===================================================================== CERT-Renater Note d'Information No. 2023/VULN122 _____________________________________________________________________ DATE : 29/03/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Spring Framework versions prior to 6.0.7+, 5.3.26+, 5.2.23.RELEASE+. ===================================================================== https://spring.io/security/cve-2023-20861/ https://spring.io/security/cve-2023-20860/ _____________________________________________________________________ CVE-2023-20861: Spring Expression DoS Vulnerability MEDIUM | MARCH 24, 2023 | CVE-2023-20861 Description In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. Affected Spring Products and Versions Spring Framework 6.0.0 to 6.0.6 5.3.0 to 5.3.25 5.2.0.RELEASE to 5.2.22.RELEASE Older, unsupported versions are also affected Mitigation Users of affected versions should apply the following mitigation: 6.0.x users should upgrade to 6.0.7+. 5.3.x users should upgrade to 5.3.26+. 5.2.x users should upgrade to 5.2.23.RELEASE+. Users of older, unsupported versions should upgrade to 6.0.7+ or 5.3.26+. No other steps are necessary. Releases that have fixed this issue include: Spring Framework 6.0.7+ 5.3.26+ 5.2.23.RELEASE+ Credit This vulnerability was initially discovered and responsibly reported by the Google OSS-Fuzz team from Code Intelligence. References https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/RL:O https://cwe.mitre.org/data/definitions/770.html History 2023-03-20: Initial vulnerability report published. _____________________________________________________________________ CVE-2023-20860: Security Bypass With Un-Prefixed Double Wildcard Pattern HIGH | MARCH 20, 2023 | CVE-2023-20860 Description Using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass. Affected Spring Products and Versions Spring Framework: 6.0.0 to 6.0.6 5.3.0 to 5.3.25 Versions older than 5.3 are not affected Mitigation The following Spring Framework versions contain fixes for this vulnerability: 6.0.7+ 5.3.26+ Credit This vulnerability was discovered internally. References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:N&version=3.1 History 2023-03-20: Initial vulnerability report published. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================