[
https://issues.apache.org/jira/browse/CXF-8835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17715569#comment-17715569
]
Dhoka Pramod commented on CXF-8835:
-----------------------------------
The fix version seems to be incorrect as per my understanding as apache-CXF
3.5.5 has spring 5.3.22 jars. Could you please update it accordingly.
> Upgrade to Spring 5.3.26
> ------------------------
>
> Key: CXF-8835
> URL: https://issues.apache.org/jira/browse/CXF-8835
> Project: CXF
> Issue Type: Improvement
> Reporter: Ashok Pai
> Priority: Major
> Fix For: 3.5.5
>
>
> Spring framework contains a security bypass vulnerability when {{**}} is used
> as a pattern in Spring Security configuration with the {{mvcRequestMatcher}}
> component. The potential for security bypass exists due to the mismatch in
> pattern matching between Spring Security and Spring MVC and this has been
> fixed in 5.3.26.
> Apache cxf 3.5.5 is present with spring version 5.3.22. Please provide
> updated Apache CXF with latest (5.3.26) spring framework jars/classes.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
