Two Spring Framework flaws put your java applications in great risk

Spring is a widely popular application framework that gives software developers the ability to rapidly and simply construct Java applications that include capabilities often seen in enterprise-level software. Thereafter, you’ll be able to deploy these apps on servers like Apache Tomcat as self-contained packages that include all of the necessary dependencies. The Spring Framework is a Java platform that offers all-encompassing support for the infrastructure that is required for the development of Java applications. Since Spring takes care of the infrastructure, you can concentrate on developing your application.

Building apps using “plain old Java objects” (POJOs) and applying business services in a non-intrusive manner to POJOs are both possible via the use of Spring. This feature applies to both the complete and partial implementations of Java EE, as well as the Java SE programming paradigm. The Spring Framework has recently patched two security flaws, CVE-2023-20860 and CVE-2023-20861, in both version 6.0.7 and version 5.3.26. This is part of a continuing effort to ensure that the framework’s security remains strong. You may safeguard your business from these potentially disastrous vulnerabilities by ensuring that your firm is using the most recent version of Spring Framework.


Security Bypass using Un-Prefixed Double Wildcard Pattern

This vulnerability, which has a score of 8.8 on the Common Vulnerability Scoring System (CVSS), is a security bypass that could occur when using an un-prefixed double wildcard pattern (“**”) in the Spring Security configuration with the mvcRequestMatcher. The vulnerability is a result of the use of an un-prefixed double wildcard pattern. Because of this setup, there will be a disparity in the pattern matching between Spring Security and Spring MVC, which might result in illegal access being granted.

Versions of the Spring Framework from 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25 are impacted by the bug. Versions older than 5.3 have not been impacted in any way. Developers should upgrade to a version of Spring Framework that is 6.0.7 or above or 5.3.26 or higher to reduce the potential for danger.


Spring Expression Denial of Service Vulnerability

This vulnerability is a denial-of-service (DoS) issue that affects Spring Expression (SpEL). The CVSS score for this vulnerability is 5.3. In versions 6.0.0 to 6.0.6 of the Spring Framework, as well as versions 5.3.0 to 5.3.25 and 5.2.0 and previous versions that are no longer supported, a user has the ability to create a malicious SpEL expression that will result in a DoS situation.

Users of vulnerable versions should upgrade to the following to reduce the risk of exploiting this vulnerability:

Users of 6.0.x should update to 6.0.7 or above.
Anyone currently operating on 5.3.x should update to 5.3.26+.
Those currently using 5.2.x should update to 5.2.23.