CVE-2022-22950Allocation of Resources Without Limits or Throttling in Vmware Spring Framework

CWE-770Allocation of Resources Without Limits or Throttling8 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
4.1%
top 11.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vmware Spring Framework
Timeline
PublishedApr 1
Latest updateJul 15

Description

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDvmware/spring_framework5.3.05.3.17+1
CVEListV5vmware/spring_frameworkSpring Framework versions 5.3.X prior to 5.3.17+ and all old and unsupported versions

🔴Vulnerability Details

4
OSV
Allocation of Resources Without Limits or Throttling in Spring Framework2022-04-03
GHSA
Allocation of Resources Without Limits or Throttling in Spring Framework2022-04-03
OSV
CVE-2022-22950: n Spring Framework versions 52022-04-01
CVEList
CVE-2022-22950: n Spring Framework versions 52022-04-01

📋Vendor Advisories

3
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Security Management (Spring Framework) — CVE-2022-229502023-07-15
Red Hat
spring-expression: Denial of service via specially crafted SpEL expression2022-03-28
Debian
CVE-2022-22950: libspring-java - n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is...2022
CVE-2022-22950 — Vmware Spring Framework vulnerability | cvebase