CVE-2023-20860 - Local Privilege Escalation
Severity: None2023-06-07
Abstract
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
The Oxygen products incorporate Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v5.1 and older | None | Oxygen Content Fusion v6.0 build 2023110109 |
Oxygen Feedback v3.0.1 and older | None | Oxygen Feedback 3.0.2 build 2023072015 |
Detail
CVE-2023-20860
Severity: High
CVSS Score: 7.5
The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20860 vulnerability description. However, the Oxygen products do not use mvcMatchers. For that reason, the Oxygen XML products are not affected by this vulnerability.
Revision History
2023-07-26 Starting with Oxygen Feedback version 3.0.2 build 2023072015, the Spring Boot was updated to version 2.7.11, which includes a fix for CVE-2023-20860.
2023-11-06 Starting with Oxygen Content Fusion version 6.0 build 2023110109, the Spring Boot was updated to version 2.7.10, which includes a fix for CVE-2023-20860.