GHSA-564r-hj7v-mcr5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-564r-hj7v-mcr5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-564r-hj7v-mcr5/GHSA-564r-hj7v-mcr5.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-564r-hj7v-mcr5
- Aliases
- Published
- 2023-03-23T21:30:19Z
- Modified
- 2025-02-25T18:49:10.146212Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Spring Framework vulnerable to denial of service via specially crafted SpEL expression
- Details
-
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2023-03-23T21:15:00Z", "cwe_ids": [ "CWE-400", "CWE-917" ], "github_reviewed_at": "2023-03-23T23:10:59Z", "severity": "MODERATE" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-20861
- https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1
- https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f
- https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5
- https://github.com/spring-projects/spring-framework
- https://security.netapp.com/advisory/ntap-20230420-0007
- https://spring.io/security/cve-2023-20861
Affected packages
Maven
org.springframework:spring-expression
Package
- Name
- org.springframework:spring-expression
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework/spring-expression
org.springframework:spring-expression
Package
- Name
- org.springframework:spring-expression
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework/spring-expression
org.springframework:spring-expression
Package
- Name
- org.springframework:spring-expression
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework/spring-expression
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.2.23.RELEASE
Affected versions
3.*
3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE
3.2.8.RELEASE
3.2.9.RELEASE
3.2.10.RELEASE
3.2.11.RELEASE
3.2.12.RELEASE
3.2.13.RELEASE
3.2.14.RELEASE
3.2.15.RELEASE
3.2.16.RELEASE
3.2.17.RELEASE
3.2.18.RELEASE
4.*
4.0.0.RELEASE
4.0.1.RELEASE
4.0.2.RELEASE
4.0.3.RELEASE
4.0.4.RELEASE
4.0.5.RELEASE
4.0.6.RELEASE
4.0.7.RELEASE
4.0.8.RELEASE
4.0.9.RELEASE
4.1.0.RELEASE
4.1.1.RELEASE
4.1.2.RELEASE
4.1.3.RELEASE
4.1.4.RELEASE
4.1.5.RELEASE
4.1.6.RELEASE
4.1.7.RELEASE
4.1.8.RELEASE
4.1.9.RELEASE
4.2.0.RELEASE
4.2.1.RELEASE
4.2.2.RELEASE
4.2.3.RELEASE
4.2.4.RELEASE
4.2.5.RELEASE
4.2.6.RELEASE
4.2.7.RELEASE
4.2.8.RELEASE
4.2.9.RELEASE
4.3.0.RELEASE
4.3.1.RELEASE
4.3.2.RELEASE
4.3.3.RELEASE
4.3.4.RELEASE
4.3.5.RELEASE
4.3.6.RELEASE
4.3.7.RELEASE
4.3.8.RELEASE
4.3.9.RELEASE
4.3.10.RELEASE
4.3.11.RELEASE
4.3.12.RELEASE
4.3.13.RELEASE
4.3.14.RELEASE
4.3.15.RELEASE
4.3.16.RELEASE
4.3.17.RELEASE
4.3.18.RELEASE
4.3.19.RELEASE
4.3.20.RELEASE
4.3.21.RELEASE
4.3.22.RELEASE
4.3.23.RELEASE
4.3.24.RELEASE
4.3.25.RELEASE
4.3.26.RELEASE
4.3.27.RELEASE
4.3.28.RELEASE
4.3.29.RELEASE
4.3.30.RELEASE
5.*
5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.0.4.RELEASE
5.0.5.RELEASE
5.0.6.RELEASE
5.0.7.RELEASE
5.0.8.RELEASE
5.0.9.RELEASE
5.0.10.RELEASE
5.0.11.RELEASE
5.0.12.RELEASE
5.0.13.RELEASE
5.0.14.RELEASE
5.0.15.RELEASE
5.0.16.RELEASE
5.0.17.RELEASE
5.0.18.RELEASE
5.0.19.RELEASE
5.0.20.RELEASE
5.1.0.RELEASE
5.1.1.RELEASE
5.1.2.RELEASE
5.1.3.RELEASE
5.1.4.RELEASE
5.1.5.RELEASE
5.1.6.RELEASE
5.1.7.RELEASE
5.1.8.RELEASE
5.1.9.RELEASE
5.1.10.RELEASE
5.1.11.RELEASE
5.1.12.RELEASE
5.1.13.RELEASE
5.1.14.RELEASE
5.1.15.RELEASE
5.1.16.RELEASE
5.1.17.RELEASE
5.1.18.RELEASE
5.1.19.RELEASE
5.1.20.RELEASE
5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.2.3.RELEASE
5.2.4.RELEASE
5.2.5.RELEASE
5.2.6.RELEASE
5.2.7.RELEASE
5.2.8.RELEASE
5.2.9.RELEASE
5.2.10.RELEASE
5.2.11.RELEASE
5.2.12.RELEASE
5.2.13.RELEASE
5.2.14.RELEASE
5.2.15.RELEASE
5.2.16.RELEASE
5.2.17.RELEASE
5.2.18.RELEASE
5.2.19.RELEASE
5.2.20.RELEASE
5.2.21.RELEASE
5.2.22.RELEASE