In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Spring_framework | Vmware | 5.2.0 (including) | 5.2.24 (excluding) |
Spring_framework | Vmware | 5.3.0 (including) | 5.3.27 (excluding) |
Spring_framework | Vmware | 6.0.0 (including) | 6.0.8 (excluding) |
Libspring-java | Ubuntu | bionic | * |
Libspring-java | Ubuntu | kinetic | * |
Libspring-java | Ubuntu | lunar | * |
Libspring-java | Ubuntu | mantic | * |
Libspring-java | Ubuntu | trusty | * |
Libspring-java | Ubuntu | xenial | * |
RHINT Camel-Springboot 3.18.3.P1 | RedHat | springframework | * |
RHINT Camel-Springboot 3.20.1 | RedHat | springframework | * |