In today's long read, we're going to discuss a critical security vulnerability that impacts the widely-used Spring Framework. The vulnerability, dubbed CVE-2023-20860, affects Spring Framework versions 6.. to 6..6, and 5.3. to 5.3.25. Specifically, it occurs when using the double asterisk (**) pattern in Spring Security configuration. This configuration mishap inadvertently creates a mismatch in pattern matching between Spring Security and Spring MVC, thereby exposing users to potential security bypass attacks.

Overview of the Spring Framework

For the uninitiated, the Spring Framework is an open-source Java-based framework used for developing Java applications. It provides comprehensive infrastructure support and simplifies application development processes. A crucial component of this framework is Spring Security, which is responsible for maintaining the security of applications.

The Issue: Mismatched Pattern Matching

When developers use the ** symbol in Spring Security configuration with the mvcRequestMatcher class, the pattern matching gets disrupted. The disruption arises from a difference in how Spring Security parses URL patterns in comparison to Spring MVC, causing misaligned pattern interpretation.

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .mvcMatchers("/resources/**").permitAll()
                .anyRequest().authenticated()
            .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
            .and()
            .logout()
                .permitAll();
    }
}

In the above code snippet, the affected area of the configuration is .mvcMatchers("/resources/**").permitAll(). The intention behind this line is to allow access to all static resources under the "/resources/" path. However, the double asterisk poses a threat due to the difference between how Spring Security and Spring MVC match URL patterns.

How the Security Bypass Occurs

The mismatch caused by using the symbol in configuration presents an opportunity for attackers to bypass security controls. For example, if an application allows access to "/public/" URL patterns and renders sensitive information at "/admin/secret", an attacker could craft requests like "/public/../admin/secret," effectively bypassing the security meant to protect sensitive information.

Mitigation and Solutions

To mitigate this vulnerability and secure your Spring applications, it is essential to update your Spring Framework to the latest version. Pivotal, the main developer behind the Spring Framework, has released patches to address this issue. The recommended versions to update to are 5.3.26 for Spring Framework 5.3.x and 6..7 for Spring Framework 6..x.

Alternatively, you may modify your configuration to ensure proper pattern matching between Spring Security and Spring MVC. This can be done by utilizing the RequestMatcher implementation that matches URLs with the same pattern matching mechanism used by Spring MVC.

.antMatchers(patterns.toArray(new String[])).mvcMatchers(patterns.toArray(new String[])).permitAll()

- CVE-2023-20860 - NIST National Vulnerability Database
- Pivotal Security Notice - Addressing the vulnerability
- Spring Framework GitHub Repository - Source code and latest updates

It is important to always stay vigilant and updated when developing applications, especially when using widely-used frameworks such as Spring. Be sure to keep an eye on security advisories and promptly patch any vulnerabilities to ensure the safety of your applications and users.

Timeline

Published on: 03/27/2023 22:15:00 UTC
Last modified on: 05/05/2023 20:15:00 UTC