Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2023-20873
Back to All
CVE

CVE-2023-20873

Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry

Description

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.

Base CVSS

9.8

EPSS Score

0.33%

Introduced Version

2.0.0.RELEASE

Fix Available

2.5.15,2.6.15,2.7.11,3.0.6

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
2.7.10
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+107
-21
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
3.0.4
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+107
-21
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
3.0.3
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+107
-21
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
2.7.5
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+547
-308
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
2.7.4
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+547
-308
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
3.0.1
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+547
-309
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
3.0.2
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+546
-309
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
2.7.9
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+107
-21
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
3.0.5
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+107
-21
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
2.7.8
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+546
-308
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
2.7.6
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+547
-308
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
2.7.7
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+547
-308
Package Name
org.springframework.boot:spring-boot-actuator-autoconfigure
3.0.0
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+547
-309

References

https://nvd.nist.gov/vuln/detail/CVE-2023-20873
https://github.com/spring-projects/spring-boot/commit/32444fed4b51cc58dc908467f706102d7f0bfc15
https://security.netapp.com/advisory/ntap-20230601-0009
https://github.com/spring-projects/spring-boot/releases/tag/v2.7.11
https://github.com/spring-projects/spring-boot
https://spring.io/security/cve-2023-20873
https://github.com/spring-projects/spring-boot/releases/tag/v2.6.15
https://github.com/spring-projects/spring-boot/releases/tag/v3.0.6
https://github.com/spring-projects/spring-boot/commit/3522714c13b47af03bf42e7f2d5994af568cb1a7
https://spring.io/blog/2023/05/18/spring-boot-2-5-15-and-2-6-15-available-now
https://github.com/spring-projects/spring-boot/releases/tag/v2.5.15

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01