CVE-2023-20861

Spring Framework vulnerable to denial of service via specially crafted SpEL expression in maven/org.springframework/spring-core

Identifiers

GHSA-564r-hj7v-mcr5, CVE-2023-20861

Package Slug

maven/org.springframework/spring-core

Vulnerability

Spring Framework vulnerable to denial of service via specially crafted SpEL expression

Description

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Affected Versions

All versions before 5.2.23.release, all versions starting from 5.3.0 before 5.3.26, all versions starting from 6.0.0 before 6.0.7

Solution

Upgrade to versions 5.3.26, 6.0.7, 5.2.23.RELEASE or above.

Last Modified

2023-03-24

source