{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-20863", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "dateUpdated": "2025-02-07T16:48:13.438Z", "dateReserved": "2022-11-01T00:00:00.000Z", "datePublished": "2023-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-06-10T16:10:39.713Z"}, "descriptions": [{"lang": "en", "value": "In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition."}], "affected": [{"vendor": "n/a", "product": "Spring Framework", "versions": [{"version": "Spring framework versions 5.2.x.release prior to 5.2.24.release+, 5.3.x prior to 5.3.27+, 6.0.x prior to 6.0.8+ and older unsupported versions", "status": "affected"}]}], "references": [{"url": "https://spring.io/security/cve-2023-20863"}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0015/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400-Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:21:32.420Z"}, "title": "CVE Program Container", "references": [{"url": "https://spring.io/security/cve-2023-20863", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0015/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-07T16:47:31.342208Z", "id": "CVE-2023-20863", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T16:48:13.438Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://spring.io/security/cve-2023-20863", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0015/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:21:32.420Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-20863", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-07T16:47:31.342208Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T16:48:03.541Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "Spring Framework", "versions": [{"status": "affected", "version": "Spring framework versions 5.2.x.release prior to 5.2.24.release+, 5.3.x prior to 5.3.27+, 6.0.x prior to 6.0.8+ and older unsupported versions"}]}], "references": [{"url": "https://spring.io/security/cve-2023-20863"}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0015/"}], "descriptions": [{"lang": "en", "value": "In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400-Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-06-10T16:10:39.713Z"}}}, "cveMetadata": {"cveId": "CVE-2023-20863", "state": "PUBLISHED", "dateUpdated": "2025-02-07T16:48:13.438Z", "dateReserved": "2022-11-01T00:00:00.000Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2023-04-13T00:00:00.000Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "95C221C0-3C34-4EAE-B591-A8F6BFFBAC4A", "versionEndExcluding": "5.2.24", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A3076BA-B232-4621-B633-9D496FF8246A", "versionEndExcluding": "5.3.27", "versionStartIncluding": "5.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEAC4B8F-5F24-479F-908C-CE405EA4B5ED", "versionEndExcluding": "6.0.8", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition."}], "id": "CVE-2023-20863", "lastModified": "2025-02-07T17:15:23.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-04-13T20:15:07.777", "references": [{"source": "security@vmware.com", "url": "https://security.netapp.com/advisory/ntap-20240524-0015/"}, {"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2023-20863"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240524-0015/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2023-20863"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@vmware.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-917"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2099", "cpe": "cpe:/a:redhat:camel_spring_boot:3.18.3", "package": "springframework", "product_name": "RHINT Camel-Springboot 3.18.3.P1", "release_date": "2023-05-03T00:00:00Z"}, {"advisory": "RHSA-2023:2100", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.1", "package": "springframework", "product_name": "RHINT Camel-Springboot 3.20.1", "release_date": "2023-05-03T00:00:00Z"}], "bugzilla": {"description": "springframework: Spring Expression DoS Vulnerability", "id": "2187742", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187742"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.", "A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server."], "name": "CVE-2023-20863", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "impact": "moderate", "package_name": "springframework", "product_name": "Red Hat Fuse 7"}], "public_date": "2023-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-20863\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-20863\nhttps://spring.io/security/cve-2023-20863"], "threat_severity": "Moderate", "upstream_fix": "spring framework 6.0.8, spring framework 5.3.27, spring framework 5.2.24.RELEASE"}