CVE-2023-20860: 
Java vulnerability analysis and mitigation

Spring Framework versions 6.0.0 - 6.0.6 and 5.3.0 - 5.3.25 contain a security vulnerability related to using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher. This vulnerability creates a mismatch in pattern matching between Spring Security and Spring MVC, potentially leading to a security bypass. The vulnerability was discovered internally and disclosed on March 20, 2023 (Spring Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impact to integrity without affecting confidentiality or availability (NVD).

Successful exploitation of this vulnerability could lead to security bypass, potentially allowing attackers to add or modify data. The vulnerability affects the integrity of the system while maintaining no impact on confidentiality or availability (NetApp Advisory).

The vulnerability has been fixed in Spring Framework versions 6.0.7+ and 5.3.26+. Users are advised to upgrade to these patched versions to address the security issue. These fixes were also included in subsequent Spring Boot releases 3.0.5 and 2.7.10 (Spring Blog).