CVE-2023-20863

CWE-400Uncontrolled Resource ConsumptionCWE-917CWE-770Allocation without Limits11 documents7 sources
Severity
6.5MEDIUM
EPSS
0.8%
top 26.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vmware Spring Framework
Timeline
PublishedApr 13
Latest updateOct 15

Description

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

Mavenorg.springframework:spring-expression6.0.06.0.8+2
NVDvmware/spring_framework5.2.05.2.24+2
CVEListV5spring_frameworkSpring framework versions 5.2.x.release prior to 5.2.24.release+, 5.3.x prior to 5.3.27+, 6.0.x prior to 6.0.8+ and older unsupported versions

🔴Vulnerability Details

4
OSV
CVE-2023-20863: In spring framework versions prior to 52023-04-13
GHSA
Spring Framework vulnerable to denial of service2023-04-13
OSV
Spring Framework vulnerable to denial of service2023-04-13
CVEList
CVE-2023-20863: In spring framework versions prior to 52023-04-13

📋Vendor Advisories

6
Oracle
Oracle Oracle Commerce Risk Matrix: Endeca Application Controller (Spring Framework) — CVE-2023-208632024-10-15
Oracle
Oracle Oracle Commerce Risk Matrix: Platform (Spring Framework) — CVE-2023-208632024-04-15
Oracle
Oracle Oracle Commerce Risk Matrix: Workbench, Endeca Application Controller, Content Acquisition System (Spring Framework) — CVE-2023-208632023-10-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Charging Server (Spring Framework) — CVE-2023-208632023-07-15
Red Hat
springframework: Spring Expression DoS Vulnerability2023-04-13