What is CVE-2023-20861?

CVE-2023-20861 is a vulnerability found in Spring Framework that allows a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Which versions of Spring Framework are affected?

Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions are affected.

How can a malicious user exploit this vulnerability?

A malicious user can exploit this vulnerability by providing a specially crafted SpEL expression.

What is the severity of CVE-2023-20861?

The severity of CVE-2023-20861 is medium, with a severity value of 5.3.

How can I fix CVE-2023-20861?

To fix CVE-2023-20861, update to Spring Framework versions 6.0.7, 5.3.26, or apply the recommended patches provided by your vendor.

Vulnerability/
CVE-2023-20861

medium

6.5

CWE

770 917

20/3/2023

23/3/2023

24/3/2024

CVE-2023-20861

First published: Mon Mar 20 2023(Updated: )

A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).

Credit: security@vmware.com security@vmware.com

Affected Software	Affected Version	How to fix
redhat/jenkins	<0:2.401.1.1686649641-3.el8	0:2.401.1.1686649641-3.el8
redhat/jenkins	<0:2.401.1.1686680404-3.el8	0:2.401.1.1686680404-3.el8
redhat/ovirt-dependencies	<0:4.5.3-1.el8e	0:4.5.3-1.el8e
VMware Spring Framework	<=5.2.22
VMware Spring Framework	>=5.3.0<=5.3.25
VMware Spring Framework	>=6.0.0<=6.0.6
IBM Watson Knowledge Catalog on-prem	<=4.x
redhat/springframework	<6.0.7	6.0.7
redhat/springframework	<5.3.26	5.3.26
maven/org.springframework:spring-expression	<5.2.23.RELEASE	5.2.23.RELEASE
maven/org.springframework:spring-expression	>=5.3.0<5.3.26	5.3.26
maven/org.springframework:spring-expression	>=6.0.0<6.0.7	6.0.7

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2023-20861?
CVE-2023-20861 is a vulnerability found in Spring Framework that allows a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Which versions of Spring Framework are affected?
Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions are affected.
How can a malicious user exploit this vulnerability?
A malicious user can exploit this vulnerability by providing a specially crafted SpEL expression.
What is the severity of CVE-2023-20861?
The severity of CVE-2023-20861 is medium, with a severity value of 5.3.
How can I fix CVE-2023-20861?
To fix CVE-2023-20861, update to Spring Framework versions 6.0.7, 5.3.26, or apply the recommended patches provided by your vendor.

collector/redhat-cve
collector/nvd-index
collector/ibm-support
agent/type
agent/first-publish-date
agent/weakness
agent/severity
agent/softwarecombine
agent/description
agent/event
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
agent/author
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-20861
agent/references
agent/tags
agent/last-modified-date
collector/github-advisory
source/GitHub
alias/GHSA-564r-hj7v-mcr5
collector/github-advisory-latest
package-manager/redhat
vendor/vmware
canonical/vmware spring framework
version/vmware spring framework/5.2.22
version/vmware spring framework/5.3.0
version/vmware spring framework/5.3.25
version/vmware spring framework/6.0.0
version/vmware spring framework/6.0.6
vendor/ibm
canonical/ibm watson knowledge catalog on-prem
version/ibm watson knowledge catalog on-prem/4.x
package-manager/maven