CVE-2023-20860 - Local Privilege Escalation

Severity: None2023-06-07

Security Advisories


Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

The Oxygen products incorporate Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v5.1 and olderNone Oxygen Content Fusion v6.0 build 2023110109
Oxygen Feedback v3.0.1 and olderNone Oxygen Feedback 3.0.2 build 2023072015





Severity: High

CVSS Score: 7.5

The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20860 vulnerability description. However, the Oxygen products do not use mvcMatchers. For that reason, the Oxygen XML products are not affected by this vulnerability.

Revision History

2023-07-26 Starting with Oxygen Feedback version 3.0.2 build 2023072015, the Spring Boot was updated to version 2.7.11, which includes a fix for CVE-2023-20860.

2023-11-06 Starting with Oxygen Content Fusion version 6.0 build 2023110109, the Spring Boot was updated to version 2.7.10, which includes a fix for CVE-2023-20860.

List of Security Advisories