CVE-2023-20861

Published: Mar 23, 2023Modified: Feb 25, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Affected (3)

Products: Vmware: Spring Framework

Vmware

1 product

Spring Framework

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring Framework	Up to 5.2.22
Vmware Spring Framework	From 5.3.0 to 5.3.25
Vmware Spring Framework	From 6.0.0 to 6.0.6

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (4)

https://security.netapp.com/advisory/ntap-20230420-0007/

Source: security@vmware.com

https://spring.io/security/cve-2023-20861

Source: security@vmware.com

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230420-0007/

Source: af854a3a-2127-422b-91ae-364da2661108

https://spring.io/security/cve-2023-20861

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.