CVE-2023-20863

Published: Apr 13, 2023Modified: Feb 7, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Affected (3)

Products: Vmware: Spring Framework

Vmware

1 product

Spring Framework

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring Framework	From 5.2.0 to 5.2.24
Vmware Spring Framework	From 5.3.0 to 5.3.27
Vmware Spring Framework	From 6.0.0 to 6.0.8

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

References (4)

https://security.netapp.com/advisory/ntap-20240524-0015/

Source: security@vmware.com

https://spring.io/security/cve-2023-20863

Source: security@vmware.com

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240524-0015/

Source: af854a3a-2127-422b-91ae-364da2661108

https://spring.io/security/cve-2023-20863

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.