CVE: 2023-20861 found in Spring Expression Language (SpEL) - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Expression Language (SpEL)
Description	Spring Expression Language (SpEL)
Language	JAVA
Vulnerability	Denial Of Service (DoS)
Vulnerability description	Spring Framework is vulnerable to Denial of Service (DoS). The vulnerability is due to a lack of max repeated words and max number of character logic in the Spring Expression Language parser located in the getValueInternal function of OpMultiply and the getValueInternal function in OperatorMatches, which can trigger an infinite loop and consume excessive CPU memory, possibly leading to a system crash.
CVE	2023-20861
CVSS score	6.8
Vulnerability present in version/s	3.0.0.M3-5.0.1.RELEASE
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	5.2.23.RELEASE
Library latest version	6.0.8
Fix	There is no released version for this range. Please upgrade to 5.2.23.RELEASE

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1074?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/39962
• Patch: https://github.com/spring-projects/spring-framework/commit/b9b31afcc905cd9d5e63739ff5920d849f7f20f0