Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3625 advisory.

  - xstream: Denial of Service by injecting recursive collections or maps based on element's hash values     raising a stack overflow (CVE-2022-41966)

  - springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

  - jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)

  - jenkins-2-plugin: email-ext: Missing permission check in Email Extension Plugin (CVE-2023-32979)

  - jenkins-2-plugin: email-ext: CSRF vulnerability in Email Extension Plugin (CVE-2023-32980)

  - jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility     Steps Plugin (CVE-2023-32981)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3610 advisory.

  - jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)

  - maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

  - Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  - Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  - jettison: parser crash by stackoverflow (CVE-2022-40149)

  - jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)

  - jettison:  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError     which may lead to dos (CVE-2022-45693)

  - json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)     (CVE-2023-1370)

  - springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

  - springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

  - jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

  - jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)

  - jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility     Steps Plugin (CVE-2023-32981)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3622 advisory.

  - maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

  - Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  - Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  - json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)     (CVE-2023-1370)

  - jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

  - springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

  - springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

  - Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

  - Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3663 advisory.

  - http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

  - springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)

  - jettison: parser crash by stackoverflow (CVE-2022-40149)

  - jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)

  - xstream: Denial of Service by injecting recursive collections or maps based on element's hash values     raising a stack overflow (CVE-2022-41966)

  - jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

  - jackson-databind: use of deeply nested arrays (CVE-2022-42004)

  - json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)     (CVE-2023-1370)

  - jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

  - springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

  - log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)

  - Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)

  - Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)

  - Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

  - Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

  - jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)

  - jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility     Steps Plugin (CVE-2023-32981)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3625 advisory.

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

  - Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using ** as a pattern in Spring     Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring     Security and Spring MVC, and the potential for a security bypass. (CVE-2023-20860)

  - Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to     be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able     to set build display names immediately. (CVE-2023-32977)

  - Jenkins Email Extension Plugin does not perform a permission check in a method implementing form     validation, allowing attackers with Overall/Read permission to check for the existence of files in the     email-templates/ directory in the Jenkins home directory on the controller file system. (CVE-2023-32979)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to     make another user stop watching an attacker-specified job. (CVE-2023-32980)

  - An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows     attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent     file system with attacker-specified content. (CVE-2023-32981)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Identity Manager installed on the remote host is missing a security patch and is, therefore affected by multiple vulnerabilities as referenced in the July 2023 Critical Patch Update(CPU) advisory.

  - Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Third Party     (Spring Framework)). The supported version that is affected is 12.2.1.4.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity     Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or     modification access to critical data or all Oracle Identity Manager accessible data. (CVE-2023-20860)

  - Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Installer     (Apache Commons FileUpload)). The supported version that is affected is 12.2.1.4.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity     Manager. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Oracle Identity Manager. (CVE-2023-24998)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:3771 advisory.

    The VDSM service is required by a Virtualization Manager to manage the Linux hosts. VDSM manages and     monitors the host's storage, memory and networks as well as virtual machine creation, other host     administration tasks, statistics gathering, and log collection.

    The following packages have been upgraded to a later upstream version: ovirt-dependencies (4.5.3), ovirt-     engine (4.5.3.8), vdsm (4.50.3.8). (BZ#2180717)

    Security Fix(es):

    * springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

    * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * Previously, a host with Secure Intel Icelake Server Family could become non-operational because it did     not provide the taa-no CPU feature.
    In this release, the check has been fixed in the Manager, and such hosts work properly. (BZ#2184623)

    * Previously, when creating bonds on a host outside the Manager and adding the host without starting it,     the Rx\Tx drop count is shown as null.
    As a result, a Null Pointer Exception is thrown in the Administration Portal > Compute > Hosts > Network     Interfaces tab.
    With this release, null values are accepted, and there are no exceptions displayed in the Network     Interfaces tab. (BZ#2180230)

    * Previously, the Volume Extend Logic method skipped sparse volumes. As a result,  RAW sparse volumes (on     file storage) were not extended properly.
    In this release, RAW sparse volumes are extended as expected. (BZ#2210036)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host contains a Spring Framework version is affected by a security bypass vulnerability. Using ** as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194326	RHEL 8 : OpenShift Container Platform 4.10.62 (RHSA-2023:3625)	Nessus	Red Hat Local Security Checks	high
194324	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3610)	Nessus	Red Hat Local Security Checks	critical
194300	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3622)	Nessus	Red Hat Local Security Checks	critical
194242	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3663)	Nessus	Red Hat Local Security Checks	critical
189419	RHCOS 4 : OpenShift Container Platform 4.10.62 (RHSA-2023:3625)	Nessus	Red Hat Local Security Checks	high
178709	Oracle Identity Manager (Jul 2023 CPU)	Nessus	Misc.	high
177528	RHEL 8 : Red Hat Virtualization (RHSA-2023:3771)	Nessus	Red Hat Local Security Checks	high
175104	Spring Framework 5.3.x < 5.3.26 / 6.0.x < 6.0.7 Security Bypass (CVE-2023-20860)	Nessus	Misc.	high

Detections

Analytics

CVE-2023-20860

high

Tenable Plugins

high

critical

critical

critical

high

high

high

high