{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-20863", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "dateUpdated": "2024-08-02T09:21:32.420Z", "dateReserved": "2022-11-01T00:00:00", "datePublished": "2023-04-13T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-06-10T16:10:39.713840"}, "descriptions": [{"lang": "en", "value": "In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition."}], "affected": [{"vendor": "n/a", "product": "Spring Framework", "versions": [{"version": "Spring framework versions 5.2.x.release prior to 5.2.24.release+, 5.3.x prior to 5.3.27+, 6.0.x prior to 6.0.8+ and older unsupported versions", "status": "affected"}]}], "references": [{"url": "https://spring.io/security/cve-2023-20863"}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0015/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400-Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:21:32.420Z"}, "title": "CVE Program Container", "references": [{"url": "https://spring.io/security/cve-2023-20863", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0015/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "95C221C0-3C34-4EAE-B591-A8F6BFFBAC4A", "versionEndExcluding": "5.2.24", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A3076BA-B232-4621-B633-9D496FF8246A", "versionEndExcluding": "5.3.27", "versionStartIncluding": "5.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEAC4B8F-5F24-479F-908C-CE405EA4B5ED", "versionEndExcluding": "6.0.8", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition."}], "id": "CVE-2023-20863", "lastModified": "2024-06-10T17:16:11.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-13T20:15:07.777", "references": [{"source": "security@vmware.com", "url": "https://security.netapp.com/advisory/ntap-20240524-0015/"}, {"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2023-20863"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2099", "cpe": "cpe:/a:redhat:camel_spring_boot:3.18.3", "package": "springframework", "product_name": "RHINT Camel-Springboot 3.18.3.P1", "release_date": "2023-05-03T00:00:00Z"}, {"advisory": "RHSA-2023:2100", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.1", "package": "springframework", "product_name": "RHINT Camel-Springboot 3.20.1", "release_date": "2023-05-03T00:00:00Z"}], "bugzilla": {"description": "springframework: Spring Expression DoS Vulnerability", "id": "2187742", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187742"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.", "A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server."], "name": "CVE-2023-20863", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "impact": "moderate", "package_name": "springframework", "product_name": "Red Hat Fuse 7"}], "public_date": "2023-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-20863\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-20863\nhttps://spring.io/security/cve-2023-20863"], "threat_severity": "Moderate", "upstream_fix": "spring framework 6.0.8, spring framework 5.3.27, spring framework 5.2.24.RELEASE"}