Using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 2180531]
This issue has been addressed in the following products: RHINT Camel-Springboot 3.20.1 Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
This issue has been addressed in the following products: AMQ Broker 7.10.3 Via RHSA-2023:3185 https://access.redhat.com/errata/RHSA-2023:3185
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-20860
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2023:3610 https://access.redhat.com/errata/RHSA-2023:3610
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2023:3622 https://access.redhat.com/errata/RHSA-2023:3622
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2023:3771 https://access.redhat.com/errata/RHSA-2023:3771
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:3625 https://access.redhat.com/errata/RHSA-2023:3625
This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
This issue has been addressed in the following products: Red Hat support for Spring Boot 2.7.13 Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612
This issue has been addressed in the following products: RHPAM 7.13.4 async Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983