CVE: 2023-20863 found in Spring Expression Language (SpEL) - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Expression Language (SpEL)
Description	Spring Expression Language (SpEL)
Language	JAVA
Vulnerability	Denial Of Service (DoS)
Vulnerability description	Spring Expression Language is vulnerable to Denial Of Service (DoS). The vulnerability exists in the doParseExpression function of InternalSpelExpressionParser.java because the SpEL expression length is not restricted which allows an attacker to cause an application crash.
CVE	2023-20863
CVSS score	6.8
Vulnerability present in version/s	4.3.0.RC1-4.3.30.RELEASE
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	5.2.24.RELEASE
Library latest version	6.1.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1074?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/40148
• Patch: https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15

[github-actions[bot]]

Veracode issue link to PR: https://github.com/veracode-repository-ruleset/verademo-java-maven/pull/54