springframework: Spring Expression DoS Vulnerability

A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service DoS...

Denial Of Service (DoS)

Spring Expression Language is vulnerable to Denial Of Service DoS. The vulnerability exists in the doParseExpression function of InternalSpelExpressionParser.java because the SpEL expression length is not restricted which allows an attacker to cause an application crash...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.4.0.1), ai.dev-tools:ai-devtools (>=0.1.12 <=0.1.20) +35882 more potentially affected by CVE-2023-20863 via org.springframework:spring-expression (>=3.0.0.RELEASE <=5.2.23.RELEASE)

org.springframework:spring-expression MAVEN version =3.0.0.RELEASE, =4.4.0.0, =0.1.12, =0.1.6, =0.1.8, =0.1.6, =0.1.2, =0.0.6, =0.0.11, =0.0.16, =0.0.1, =0.0.47, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.21 and more Source cves: CVE-2023-20863 Source advisory: OSV:GHSA-WXQC-PXW9-G2P8...

africa.absa:inception-api (>=1.1.0 <=1.2.0), africa.absa:inception-application (>=1.1.0 <=1.2.0) +20168 more potentially affected by CVE-2023-20863 via org.springframework:spring-expression (>=5.3.0 <=5.3.26)

org.springframework:spring-expression MAVEN version =5.3.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2023-20863 Source advisory: OSV:GHSA-WXQC-PXW9-G2P8...

ai.optfor:spring-openai-api (>=0.1.3 <=0.3.25), ai.superstream:spring-kafka (=3.0.1-alpha1) +8819 more potentially affected by CVE-2023-20863 via org.springframework:spring-expression (>=6.0.0 <=6.0.7)

org.springframework:spring-expression MAVEN version =6.0.0, =0.1.3, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2, =0.0.6, =0.0.6, =1.3.0, =4.5.0, =4.0.0, =4.0.3 - be.jidoka:jdk-keycloak-admin =2.0.0 and more Source cves: CVE-2023-20863 Source advisory: OSV:GHSA-WXQC-PXW9-G2P8...

GHSA-WXQC-PXW9-G2P8 Spring Framework vulnerable to denial of service

In Spring Framework versions prior to 5.2.24.release+ , 5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted Spring Expression Language SpEL expression that may cause a denial-of-service DoS condition...

DEBIAN-CVE-2023-20863

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition...

UBUNTU-CVE-2023-20863

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition...

The vulnerability of the Spring Framework software platform, related to unlimited resource distribution, allows attackers to cause service failures.

The vulnerability of the Spring Framework software platform is related to the unlimited distribution of resources. Exploiting this vulnerability can allow a malicious actor, operating remotely, to cause service failures using specially created SpEL expressions...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.4.0.1), ai.dev-tools:ai-devtools (>=0.1.12 <=0.1.20) +35838 more potentially affected by CVE-2023-20861 via org.springframework:spring-expression (>=3.0.0.RELEASE <=5.2.22.RELEASE)

org.springframework:spring-expression MAVEN version =3.0.0.RELEASE, =4.4.0.0, =0.1.12, =0.1.6, =0.1.8, =0.1.6, =0.1.2, =0.0.6, =0.0.11, =0.0.16, =0.0.1, =0.0.47, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.21 and more Source cves: CVE-2023-20861 Source advisory: OSV:GHSA-564R-HJ7V-MCR5...

ai.optfor:spring-openai-api (>=0.1.3 <=0.3.25), ai.superstream:spring-kafka (=3.0.1-alpha1) +8472 more potentially affected by CVE-2023-20861 via org.springframework:spring-expression (>=6.0.0 <=6.0.6)

org.springframework:spring-expression MAVEN version =6.0.0, =0.1.3, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2, =0.0.6, =0.0.6, =1.3.0, =4.5.0, =4.0.0, =4.0.3 - be.jidoka:jdk-keycloak-admin =2.0.0 and more Source cves: CVE-2023-20861 Source advisory: OSV:GHSA-564R-HJ7V-MCR5...

africa.absa:inception-api (>=1.1.0 <=1.2.0), africa.absa:inception-application (>=1.1.0 <=1.2.0) +19739 more potentially affected by CVE-2023-20861 via org.springframework:spring-expression (>=5.3.0 <=5.3.25)

org.springframework:spring-expression MAVEN version =5.3.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2023-20861 Source advisory: OSV:GHSA-564R-HJ7V-MCR5...

DEBIAN-CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition...

Spring Framework 安全漏洞

Spring Framework is the U.S. Spring team of a set of open source Java, JavaEE application framework. The framework helps developers build high-quality applications. A security vulnerability exists in Spring Framework versions 6.0.0 through 6.0.6, 5.3.0 through 5.3.25, 5.2.0 through 5.2.22, and...

PT-2023-2099 · Spring +1 · Spring Framework +1

Name of the Vulnerable Software and Affected Versions: Spring Framework versions 5.2.0.RELEASE through 5.2.22.RELEASE Spring Framework versions 5.3.0 through 5.3.25 Spring Framework versions 6.0.0 through 6.0.6 Description: The issue is related to unlimited resource distribution in the Spring...

OSV-2023-214 Security exception in org.springframework.expression.spel.ast.OpPlus.getValueInternal

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57295 Crash type: Security exception Crash state: org.springframework.expression.spel.ast.OpPlus.getValueInternal java.base/java.util.HashMap.get org.springframework.core.convert.TypeDescriptor.valueOf...

SUSE CVE-2022-22963

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources...

PT-2022-16005 · Nepxion · Nepxion Discovery

Name of the Vulnerable Software and Affected Versions: Nepxion Discovery affected versions not specified Description: The issue is related to SpEL Injection in discovery-commons, where the DiscoveryExpressionResolver’s eval method evaluates expressions with a StandardEvaluationContext. This allow...

Nepxion 安全漏洞

Nepxion Discovery is an enhanced middleware for service registration discovery for Spring Cloud. Nepxion Discovery 6.16.2 and earlier versions are vulnerable to a remote code execution vulnerability that stems from a lack of validation of input data in Discovery-commons and is susceptible to SpEL...

VulnCheck KEV: CVE-2022-22963

When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources...