Bug 2231491 (CVE-2023-20873)

Summary: CVE-2023-20873 spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adupliak, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, cmoulliard, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, emingora, fjuma, gjospin, gmalinko, ibek, ikanello, ivassile, iweiss, janstey, jpoth, jrokos, jross, jscholz, kaycoth, kverlaen, lbacciot, lgao, lthon, mizdebsk, mnovotny, mosmerov, msochure, mstefank, msvehla, nwallace, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, pskopek, rguimara, rkieley, rowaters, rruss, rstancel, saroy, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-boot 2.5.15, spring-boot 2.6.15, spring-boot 2.7.11, spring-boot 3.0.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Spring Boot. This targets specifically 'spring-boot-actuator-autoconfigure' package. This issue occurs when an application is deployed to Cloud Foundry, which could be susceptible to a security bypass. Specifically, an application is vulnerable when all of the following are true: * You have code that can handle requests that match /cloudfoundryapplication/**. Typically, this will be if there is a catch-all request mapping which matches /**. * The application is deployed to Cloud Foundry. An application is not vulnerable if any of the following is true: * The application is not deployed to Cloud Foundry * You have disabled Cloud Foundry actuator endpoints with management.cloudfoundry.enabled set to false. * Your application does not have handler mappings that can handle requests to /cloudfoundryapplication/**.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2231492, 2231493, 2231494, 2231495    
Bug Blocks: 2188521    

Description Pedro Sampaio 2023-08-11 17:30:52 UTC 
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass.

References:

https://spring.io/security/cve-2023-20873
https://github.com/spring-projects/spring-boot/commit/307f3c339912466e78fcdac648fff95a4edea573
https://github.com/spring-projects/spring-boot/commit/3522714c13b47af03bf42e7f2d5994af568cb1a7
https://github.com/spring-projects/spring-boot/issues/35085
https://github.com/spring-projects/spring-boot/releases/tag/v2.7.11
Comment 1 Pedro Sampaio 2023-08-11 17:31:16 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2231492]
Comment 6 errata-xmlrpc 2023-09-13 15:40:16 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.2

Via RHSA-2023:5147 https://access.redhat.com/errata/RHSA-2023:5147
Comment 7 errata-xmlrpc 2023-09-13 16:10:01 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.2

Via RHSA-2023:5148 https://access.redhat.com/errata/RHSA-2023:5148
Comment 8 errata-xmlrpc 2023-12-06 23:30:44 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.6.0

Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678