Java Platform: Critical vulnerability in VMware Tanzu Spring Framework closed

Attackers could attack systems with VMware Tanzu Spring Framework. Safe versions have appeared.

VMware Tanzu’s open-source framework is designed to simplify development with Java. For security reasons, anyone who uses the framework should use the secured versions 5.3.23, 5.3.26 or 6.0.7 to install.

Patch now!

According to an alert, there is a vulnerability (CVE-2023-20860, CVSS 9.1) as “critical“. Attackers could use a double wildcard ("**") trigger errors as a pattern in the Spring security configuration and thus bypass security mechanisms. According to the developers, only versions 6.0.0 up to and including 6.0.6 and 5.3.0 up to and including 5.3.25 are affected.

The second vulnerability (CVE-2023-20861, CVSS 5.3“middle“) affects versions 6.0.0 up to and including 6.0.6, 5.3.0 up to and including 5.3.25 and 5.2.0.RELEASE up to and including 5.2.22.RELEASE. Older versions that are no longer supported are also at risk. Attackers could target the vulnerability with special requests to trigger DoS states.

(of)