===================================================================== CERT-Renater Note d'Information No. 2023/VULN159 _____________________________________________________________________ DATE : 14/04/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Spring Framework versions prior to 6.0.8+, 5.3.27+, 5.2.24.RELEASE+. ===================================================================== https://spring.io/security/cve-2023-20863/ _____________________________________________________________________ CVE-2023-20863: Spring Expression DoS Vulnerability HIGH | APRIL 13, 2023 | CVE-2023-20863 Description In Spring Framework versions 6.0.0 - 6.0.7, 5.3.0 - 5.3.26, 5.2.0.RELEASE - 5.2.23.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. Affected Spring Products and Versions Spring Framework 6.0.0 to 6.0.7 5.3.0 to 5.3.26 5.2.0.RELEASE to 5.2.23.RELEASE Older, unsupported versions are also affected Mitigation Users of affected versions should apply the following mitigation: 6.0.x users should upgrade to 6.0.8+. 5.3.x users should upgrade to 5.3.27+. 5.2.x users should upgrade to 5.2.24.RELEASE+. Users of older, unsupported versions should upgrade to 6.0.8+ or 5.3.27+. No other steps are necessary. Releases that have fixed this issue include: Spring Framework 6.0.8+ 5.3.27+ 5.2.24.RELEASE+ Credit This vulnerability was initially discovered and responsibly reported by the Google OSS-Fuzz team from Code Intelligence. References https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O https://cwe.mitre.org/data/definitions/770.html History 2023-04-13: Initial vulnerability report published. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================