Skip to content
Dae Glendowne1 min read

Another Expression DoS Vulnerability Found in Spring - CVE-2023-20863

Just recently, our open-source fuzzing engine Jazzer found an Expression DoS vulnerability in Spring (CVE-2023-20861). Now, three weeks later, Jazzer found another similar Expression DoS in the Spring framework, labeled CVE-2023-20863. This new finding has an even higher CVSS score of 7.5 (high), compared to the previous finding which came in at 5.3 (medium). Both vulnerabilities were found within Google's OSS-Fuzz, where Jazzer has been integrated as part of an ongoing collaboration between Code Intelligence and Google's open-source security team, with the goal of securing open-source projects.

Spring is a popular framework used for web application development in Java. As such, vulnerabilities in Spring can have a significant impact on applications that depend on the affected version.

Description of CVE-2023-20863

Users can input a specifically manipulated SpEL expression that can trigger a denial-of-service (DoS) scenario.

Affected Versions:

  • 6.0.0 to 6.0.7
  • 5.3.0 to 5.3.26
  • 5.2.0.RELEASE to 5.2.23.RELEASE

Outdated, unsupported versions are also susceptible.

Mitigation and Remediation

Fixes have been issued to address the CVE, which involve implementing limit checks on the size of repeated text and the length of regular expressions used in the matches operator. Users of impacted versions are strongly advised to upgrade to a newer version that includes the fixes:

  • 6.0.x users should upgrade to 6.0.8+.
  • 5.3.x users should upgrade to 5.3.27+.
  • 5.2.x users should upgrade to 5.2.24.RELEASE+.

Users of older, unsupported versions should upgrade to 6.0.7+ or 5.3.26+. No other steps are necessary.

References

Acknowledgments

We express our appreciation to the Spring maintainers for their fast response in addressing the matter and delivering a fix through new releases.

Related Articles