CVE-2023-20873: 
Java vulnerability analysis and mitigation

CVE-2023-20873 is a security bypass vulnerability affecting Spring Boot versions 3.0.0-3.0.5, 2.7.0-2.7.10, 2.6.0-2.6.14, 2.5.0-2.5.14, and older unsupported versions. The vulnerability was disclosed on April 20, 2023, and affects applications deployed to Cloud Foundry that can handle requests matching /cloudfoundryapplication/**. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) (Spring Security, NVD).

The vulnerability specifically affects applications when all of the following conditions are met: the application has code that can handle requests matching /cloudfoundryapplication/, typically with a catch-all request mapping matching /, and the application is deployed to Cloud Foundry. Applications using Spring Cloud Config Server are particularly vulnerable as they handle requests to /cloudfoundryapplication/** by default when deployed to Cloud Foundry (Spring Security).

Successful exploitation of this vulnerability could lead to security bypass, potentially resulting in disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

Users of affected versions should upgrade to the following fixed versions: 3.0.x users to 3.0.6+, 2.7.x users to 2.7.11+, 2.6.x users to 2.6.15+, and 2.5.x users to 2.5.15+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+. Alternatively, users can disable Cloud Foundry actuator endpoints by setting management.cloudfoundry.enabled to false (Spring Security).