Security bypass vulnerability CVE-2023-20873 using wildcard pattern matching on Spring Cloud Foundry

Mobile 2023-09-06 23:21:11 views: null

Article directory


insert image description here

0. Preface

Background: The company project scanned the security bypass vulnerability CVE-2023-20873 using wildcard pattern matching on Spring Cloud Foundry

CVE-2023-20873: Security bypass using wildcard pattern matching on Cloud Foundry
High Risk | May 18, 2023 | CVE-2023-20873

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older supported versions, it is possible to deploy applications on Cloud Foundry easily subject to security bypass.

1. Reference documents

CVE official website https://www.cve.org/CVERecord?id=CVE-2023-20873
insert image description here

2. Basic introduction

CVE-2023-20873: Security Bypass Using Wildcard Pattern Matching on Cloud Foundry
High Risk | May 18, 2023 | CVE-2023-20873

describe

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older supported versions, it is possible to deploy applications on Cloud Foundry easily subject to security bypass.

Specifically, an application is vulnerable when all of the following conditions are met:

You have code that handles requests matching /cloudfoundryapplication/**. Typically, this will be if there is a global request mapping that matches /**.
The application is deployed on Cloud Foundry.
Note: Applications using Spring Cloud Config Server can handle requests to /cloudfoundryapplication/** by default and
may be vulnerable if deployed on Cloud Foundry.

An application is not too risky if any of the following conditions are met:

The application is not deployed on Cloud Foundry
You have disabled the Cloud Foundry actor endpoint by setting management.cloudfoundry.enabled to false.
Your application does not have a handler mapping that can handle requests to /cloudfoundryapplication/**.

Affected Spring products and versions

Spring Boot

3.0.0 to 3.0.5
2.7.0 to 2.7.10
2.6.0 to 2.6.14
2.5.0 to 2.5.14
Also affected older and no longer supported versions

3. Solutions

3.1. Upgrade version

Users of affected versions should apply the following actions:
3.0.xUsers should upgrade to 3.0.6+. 2.7.xUsers should upgrade to 2.7.11+. 2.6.xUsers should upgrade to 2.6.15+. 2.5.xUsers should upgrade to 2.5.15+. Users of older and no longer supported versions should upgrade to 3.0.6+or 2.7.11+.

3.2. Alternatives

== Disable Cloud Foundry's actor endpoint by setting management.cloudfoundry.enabled to false. ==

Guess you like

Origin blog.csdn.net/wangshuai6707/article/details/132539307
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com