[
https://issues.apache.org/jira/browse/CXF-8835?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ashok Pai updated CXF-8835:
---------------------------
Description:
Spring framework contains a security bypass vulnerability when {{**}} is used
as a pattern in Spring Security configuration with the {{mvcRequestMatcher}}
component. The potential for security bypass exists due to the mismatch in
pattern matching between Spring Security and Spring MVC and this has been fixed
in 5.3.26.
Apache cxf 3.5.5 is present with spring version 5.3.22. Please provide updated
Apache CXF with latest (5.3.26) spring framework jars/classes.
was:
There are few vulnerabilities been reported with Spring 5.3.23. Apache cxf
3.5.5 is present with spring version 5.3.22. Please provide updated Apache CXF
with latest (5.3.26) spring framework jars/classes.
> Upgrade to Spring 5.3.26
> ------------------------
>
> Key: CXF-8835
> URL: https://issues.apache.org/jira/browse/CXF-8835
> Project: CXF
> Issue Type: Improvement
> Reporter: Ashok Pai
> Priority: Major
> Fix For: 3.5.5
>
>
> Spring framework contains a security bypass vulnerability when {{**}} is used
> as a pattern in Spring Security configuration with the {{mvcRequestMatcher}}
> component. The potential for security bypass exists due to the mismatch in
> pattern matching between Spring Security and Spring MVC and this has been
> fixed in 5.3.26.
> Apache cxf 3.5.5 is present with spring version 5.3.22. Please provide
> updated Apache CXF with latest (5.3.26) spring framework jars/classes.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
