Safeguard
Security

CVE-2023-20873: The Spring Boot Cloud Foundry Auth Bypass Explained

A clear breakdown of CVE-2023-20873, the Spring Boot security bypass on Cloud Foundry: affected versions, why wildcard matching caused it, and how to fix it.

Safeguard Research Team
Research
5 min read

CVE-2023-20873 is a security bypass vulnerability in Spring Boot applications deployed to Cloud Foundry, where a broad wildcard pattern used to protect the /cloudfoundryapplication/** actuator endpoints could be evaded, potentially exposing sensitive management endpoints to unauthenticated requests. It carries a high severity rating and affects a wide range of Spring Boot versions. If you run Spring Boot on Cloud Foundry, this is one to understand and patch, and the good news is that the fix is a straightforward version bump.

What the vulnerability is

Spring Boot exposes a set of Cloud Foundry-specific actuator endpoints under /cloudfoundryapplication when deployed to that platform. These endpoints surface management and diagnostic information and are meant to be protected. The security configuration that guarded them relied on matching the broad wildcard pattern /cloudfoundryapplication/** rather than on paths dynamically generated from the actual registered endpoints.

That reliance on a static wildcard is the crux of CVE-2023-20873. An application becomes vulnerable when it has code that can handle requests matching /cloudfoundryapplication/**, which is typically the case if there is a catch-all request mapping matching /**, and it is deployed to Cloud Foundry. Under those conditions the protection can be bypassed, and requests reach management functionality that should have required authorization.

Affected versions

According to Spring's advisory, CVE-2023-20873 affects:

  • Spring Boot 3.0.0 through 3.0.5
  • Spring Boot 2.7.0 through 2.7.10
  • Spring Boot 2.6.0 through 2.6.14
  • Spring Boot 2.5.0 through 2.5.14
  • Older, unsupported versions

The fixed releases are Spring Boot 3.0.6 for the 3.0.x line and 2.7.11 for the 2.7.x line. Users on the older 2.6.x and 2.5.x lines, which were already out of open-source support, are advised to move to a supported, fixed version rather than expecting a backport.

Why wildcard matching was the problem

The root cause is a general lesson worth internalizing beyond this one CVE. Security decisions that depend on pattern-matching request paths are fragile when the pattern is broad and the routing is permissive. A catch-all mapping like /** means the application will attempt to handle almost any path, and if the security layer and the dispatch layer disagree about which requests fall under /cloudfoundryapplication/**, an attacker can craft a request that the security check treats as out of scope while the application still routes it to the sensitive endpoint.

The fix moved away from trusting the broad wildcard toward validating against the actual endpoint mappings, so the protection reflects what the application really exposes rather than a hopeful glob. It is the same principle behind the guidance to use precise matchers like MvcRequestMatcher elsewhere in the Spring ecosystem: the security layer must interpret a path exactly the way the dispatch layer will.

How to know if you are exposed

Two conditions have to hold together. First, the application is deployed to Cloud Foundry, since these endpoints are specific to that platform. If you do not deploy to Cloud Foundry, this particular flaw does not affect you. Second, the application has a request-handling path that can match /cloudfoundryapplication/**, which most commonly happens through a catch-all /** mapping.

If both are true and you are on an affected version, treat the app as vulnerable. If only one is true you are likely not exposed to CVE-2023-20873 specifically, but that is a reason to prioritize rather than to ignore the upgrade.

How to remediate

The remediation is a version upgrade, and it is the cleanest kind of fix because it requires no application code changes:

<parent>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-parent</artifactId>
  <version>3.0.6</version>
</parent>

Upgrade to 3.0.6 or later on the 3.0.x line, or 2.7.11 or later on the 2.7.x line. If you are on 2.6.x or 2.5.x, plan a move to a currently supported branch, since staying on an unsupported line leaves you exposed to this and every subsequent Spring Boot CVE.

After upgrading, confirm the resolved version in your build:

mvn dependency:tree -Dincludes=org.springframework.boot:spring-boot

Because Spring Boot is frequently pulled in and pinned transitively, the version you think you run is not always the version you actually resolve. An SCA tool will match your resolved Spring Boot version against the CVE-2023-20873 affected ranges automatically, so you do not have to cross-reference advisories by hand across every service. If you manage several Spring services, our spring-webmvc security guide covers a related set of framework CVEs worth patching in the same pass.

FAQ

What is CVE-2023-20873?

It is a security bypass vulnerability in Spring Boot applications deployed to Cloud Foundry. A broad wildcard pattern protecting the /cloudfoundryapplication/** actuator endpoints could be evaded, potentially exposing sensitive management endpoints to unauthorized requests.

Which Spring Boot versions are affected?

Spring Boot 3.0.0 to 3.0.5, 2.7.0 to 2.7.10, 2.6.0 to 2.6.14, 2.5.0 to 2.5.14, and older unsupported versions. The fixes are in 3.0.6 and 2.7.11; users on older lines should move to a supported, fixed release.

Am I affected if I do not use Cloud Foundry?

No. The vulnerable endpoints are specific to Cloud Foundry deployments. If you do not deploy to Cloud Foundry, CVE-2023-20873 does not apply, though keeping Spring Boot patched still protects you from other advisories.

How do I fix CVE-2023-20873?

Upgrade Spring Boot to 3.0.6 or later, or 2.7.11 or later, depending on your line. The fix is a version bump with no required application code changes. Verify the resolved version afterward, since Spring Boot is often pinned transitively.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.