CVE Vulnerabilities

CVE-2023-20863

Uncontrolled Resource Consumption

Published: Apr 13, 2023 | Modified: Feb 07, 2025
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Name Vendor Start Version End Version
Spring_framework Vmware 5.2.0 (including) 5.2.24 (excluding)
Spring_framework Vmware 5.3.0 (including) 5.3.27 (excluding)
Spring_framework Vmware 6.0.0 (including) 6.0.8 (excluding)
RHINT Camel-Springboot 3.18.3.P1 RedHat springframework *
RHINT Camel-Springboot 3.20.1 RedHat springframework *
Libspring-java Ubuntu bionic *
Libspring-java Ubuntu focal *
Libspring-java Ubuntu kinetic *
Libspring-java Ubuntu lunar *
Libspring-java Ubuntu mantic *
Libspring-java Ubuntu oracular *
Libspring-java Ubuntu trusty *
Libspring-java Ubuntu trusty/esm *
Libspring-java Ubuntu xenial *

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References