CVE-2023-20863

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') in maven/org.springframework/spring-expression

Identifiers

GHSA-wxqc-pxw9-g2p8, CVE-2023-20863

Package Slug

maven/org.springframework/spring-expression

Vulnerability

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Description

In spring framework versions prior to 5.2.24 release+,5.3.27+ and 6.0.8+, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Affected Versions

All versions before 5.2.24.release, all versions starting from 5.3.0 before 5.3.27, all versions starting from 6.0.0 before 6.0.8

Solution

Upgrade to versions 5.3.27, 6.0.8, 5.2.24.RELEASE or above.

Last Modified

2024-02-05

source