CVE: 2022-22950 found in Spring Expression Language (SpEL) - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Expression Language (SpEL)
Description	Spring Expression Language (SpEL)
Language	JAVA
Vulnerability	Denial Of Service (DoS)
Vulnerability description	Spring Expression is vulnerable to denial of service. The vulnerability exists due to the creation of large array in a SpEL and sending meaningless error messages to the user which allows an attacker to send crafted SpEL expressions that leads to an out ouf bound error causing an application crash.
CVE	2022-22950
CVSS score	4
Vulnerability present in version/s	3.0.4.RELEASE-5.2.19.RELEASE
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	5.2.20.RELEASE
Library latest version	6.1.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1074?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/35014
• Patch: https://github.com/spring-projects/spring-framework/commit/90cfde985ef08e8372ffefda2156f8091f65efe6

[github-actions[bot]]

Veracode issue link to PR: https://github.com/veracode-repository-ruleset/verademo-java-maven/pull/54