CVE-2023-20861

CWE-400 — Uncontrolled Resource Consumption CWE-917 CWE-770 — Allocation without Limits9 documents7 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 38.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Framework

Timeline

PublishedMar 23

Latest updateApr 15

Description

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.springframework:spring-expression6.0.0 — 6.0.7+2

▶NVDvmware/spring_framework5.3.0 — 5.3.25+2

▶CVEListV5spring_frameworkSpring Framework (6.0.0 to 6.0.6, 5.3.0 to 5.3.25, 5.2.0.RELEASE to 5.2.22.RELEASE, Older unsupported versions are also affected)

🔴Vulnerability Details

OSV

CVE-2023-20861: In Spring Framework versions 6↗2023-03-23

▶

GHSA

Spring Framework vulnerable to denial of service via specially crafted SpEL expression↗2023-03-23

▶

OSV

Spring Framework vulnerable to denial of service via specially crafted SpEL expression↗2023-03-23

▶

CVEList

CVE-2023-20861: In Spring Framework versions 6↗2023-03-23

▶

📋Vendor Advisories

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Install (Spring Framework) — CVE-2023-20861↗2024-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Spring Boot) — CVE-2023-20861↗2023-07-15

▶

Red Hat

springframework: Spring Expression DoS Vulnerability↗2023-03-20

▶

Debian

CVE-2023-20861: libspring-java - In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2....↗2023

▶