[FP]: Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC

[bhaskar-s-019]

Package URl

pkg:maven/org.springframework/spring-core@.*

CPE

cpe:2.3:a:vmware:spring_framework:::::::: versions from (including) 5.3.0; versions up to (excluding) 5.3.26

CVE

CVE-2023-20860

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

8.4.1

Description

On a production environment, only Spring Web and Beans are used, this vulnerability talks about Spring MVC Security configuration. Can this be considered as False Positive.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7330008040

[aikebah]

If you don't use Spring-Security it appears to be not applicable to your usage, however, within the DependencyCheck project we do not micro-manage attibution of framework CVEs to their composing parts (individual libraries) for a framework that is released as a whole and therefor receives a single CPE identifier at NVD.
Suppressions such as these (as well as the determination whether or not the used part of the framework is affected by the vulnerability) are left to the project that decides to continue using an older version of only a part of such a framework.