CVE-2023-20873 - Local Privilege Escalation
Severity: None2023-06-07
Abstract
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
The Oxygen products incorporate Spring Boot as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v5.1 and older | None | Oxygen Content Fusion 5.1.1 build 2023072112 |
Oxygen Feedback v3.0.1 and older | None | Oxygen Feedback 3.0.2 build 2023072015 |
Detail
CVE-2023-20873
Severity: Critical
CVSS Score: 9.8
The Spring Boot third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20873 vulnerability description. However, the Oxygen products are not deployed to to Cloud Foundry. For that reason, Oxygen XML products are not affected by this vulnerability.
Revision History
2023-07-26 Starting with Oxygen Content Fusion version 5.1.1 build 2023072112, the Spring Boot was updated to version 2.7.11, which includes a fix for CVE-2023-20873.
2023-07-26 Starting with Oxygen Feedback version 3.0.2 build 2023072015, the Spring Boot was updated to version 2.7.11, which includes a fix for CVE-2023-20873.