CVE-2022-22950
denial of service condition vulnerability in spring-expression (Maven)
What is CVE-2022-22950 About?
This vulnerability affects Spring Framework versions 5.3.0 - 5.3.16, 5.2.0.RELEASE - 5.2.19.RELEASE, and older unsupported versions, enabling a denial of service condition. An attacker can provide a specially crafted SpEL expression that causes the application to consume excessive resources or crash. Exploitation involves sending a malicious SpEL expression.
Affected Software
- org.springframework:spring-expression
- <5.2.20.RELEASE
- >5.3.0, <5.3.17
Technical Details
The vulnerability lies within how the Spring Framework processes SpEL (Spring Expression Language) expressions. An attacker can craft a complex or recursive SpEL expression that, when evaluated by the vulnerable framework, consumes an inordinate amount of CPU cycles or memory. This resource exhaustion leads to a denial of service condition, making the application unresponsive or causing it to crash. The attack vector is the input mechanism through which SpEL expressions can be submitted to the application, which may be part of an API endpoint or request parameter that allows dynamic evaluation.
What is the Impact of CVE-2022-22950?
Successful exploitation may allow attackers to cause application unresponsiveness, lead to resource exhaustion, and create a denial of service condition.
What is the Exploitability of CVE-2022-22950?
Exploiting this vulnerability requires the ability to submit a specially crafted SpEL expression to an endpoint susceptible to evaluation. The complexity is moderate, as it requires knowledge of SpEL syntax and how to craft an expression that triggers resource exhaustion. Authentication requirements depend on whether the vulnerable endpoint is protected; typically, if an attacker can reach a SpEL evaluation context, they can attempt exploitation. No elevated privileges are needed beyond what's required to interact with the application. This is primarily a remote vulnerability. The key risk factor is any application that directly or indirectly evaluates user-controlled SpEL expressions without proper input validation or resource limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-22950?
Available Upgrade Options
- org.springframework:spring-expression
- <5.2.20.RELEASE → Upgrade to 5.2.20.RELEASE
- org.springframework:spring-expression
- >5.3.0, <5.3.17 → Upgrade to 5.3.17
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11
- https://github.com/spring-projects/spring-framework/issues/28145
- https://osv.dev/vulnerability/GHSA-558x-2xjg-6232
- https://github.com/spring-projects/spring-framework
- https://github.com/spring-projects/spring-framework/releases/tag/v5.3.17
- https://tanzu.vmware.com/security/cve-2022-22950
- https://github.com/spring-projects/spring-framework/issues/28257
- https://nvd.nist.gov/vuln/detail/CVE-2022-22950
- https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE
- https://tanzu.vmware.com/security/cve-2022-22950
What are Similar Vulnerabilities to CVE-2022-22950?
Similar Vulnerabilities: CVE-2021-22965 , CVE-2021-22951 , CVE-2022-22964 , CVE-2022-22970 , CVE-2017-4995
