CVE-2023-20861

2023-03-2321:15:19

[email protected]

web.nvd.nist.gov

130

spring framework

cve-2023-20861

dos

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.6%

JSON

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Affected configurations

NVD

Node

vmwarespring_frameworkRange≤5.2.22

vmwarespring_frameworkRange5.3.0–5.3.25

vmwarespring_frameworkRange6.0.0–6.0.6

CPENameOperatorVersion
vmware:spring_frameworkvmware spring frameworkle5.2.22
vmware:spring_frameworkvmware spring frameworkle5.3.25
vmware:spring_frameworkvmware spring frameworkle6.0.6

CPE	Name	Operator	Version
vmware:spring_framework	vmware spring framework	le	5.2.22
vmware:spring_framework	vmware spring framework	le	5.3.25
vmware:spring_framework	vmware spring framework	le	6.0.6

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "Spring Framework",
    "versions": [
      {
        "version": "Spring Framework (6.0.0 to 6.0.6, 5.3.0 to 5.3.25, 5.2.0.RELEASE to 5.2.22.RELEASE, Older unsupported versions are also affected)",
        "status": "affected"
      }
    ]
  }
]