CVE-2023-20861
Denial-of-Service (DoS) vulnerability in spring-expression (Maven)
What is CVE-2023-20861 About?
This vulnerability exists in Spring Framework versions 6.0.0-6.0.6, 5.3.0-5.3.25, 5.2.0.RELEASE-5.2.22.RELEASE, and older unsupported versions. Attackers can provide a specially crafted SpEL expression to trigger a Denial-of-Service condition. This allows for service disruption, and while crafting the expression requires some skill, the impact can be significant.
Affected Software
- org.springframework:spring-expression
- <5.2.23.RELEASE
- >6.0.0, <6.0.7
- >5.3.0, <5.3.26
Technical Details
The vulnerability in Spring Framework arises from the processing of Spring Expression Language (SpEL) expressions. Specifically, in the affected versions, a user can provide a specially crafted SpEL expression that, when evaluated by the framework, consumes excessive computational resources or enters an infinite loop/recursion. This results in the application becoming unresponsive or crashing, leading to a Denial-of-Service (DoS) condition. The attack vector is the input mechanism through which SpEL expressions are processed, likely user-supplied data that is subsequently evaluated as a SpEL expression without proper sanitization or resource limits.
What is the Impact of CVE-2023-20861?
Successful exploitation may allow attackers to cause the affected Spring Framework application to freeze or crash, leading to a denial-of-service and unavailability of the application.
What is the Exploitability of CVE-2023-20861?
Exploitation requires the ability to provide a specially crafted SpEL expression to a Spring Framework application that processes such input. The complexity is moderate to high, as it requires knowledge of SpEL syntax and how to construct an expression that triggers resource exhaustion. Explicit authentication or privilege requirements depend on where and how the SpEL expression input is accepted; if it's via an unauthenticated endpoint, then no authentication is needed. This can be a remote or local attack, depending on the application's design. The special condition is that the application must evaluate user-supplied input as SpEL expressions. Risk factors are heightened in applications that use SpEL expressions for dynamic configuration or data processing based on untrusted input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-20861?
About the Fix from Resolved Security
The patch addresses CVE-2023-20861 by introducing a shared, thread-safe cache for compiled regex patterns used by the matches operator in Spring's SpEL, replacing the previous approach where each instance had its own cache. This change prevents attackers from exhausting memory by passing an excessive number of unique regex patterns, effectively mitigating a denial-of-service (DoS) vector.
Available Upgrade Options
- org.springframework:spring-expression
- <5.2.23.RELEASE → Upgrade to 5.2.23.RELEASE
- org.springframework:spring-expression
- >5.3.0, <5.3.26 → Upgrade to 5.3.26
- org.springframework:spring-expression
- >6.0.0, <6.0.7 → Upgrade to 6.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20230420-0007/
- https://nvd.nist.gov/vuln/detail/CVE-2023-20861
- https://spring.io/security/cve-2023-20861
- https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f
- https://github.com/spring-projects/spring-framework
- https://security.netapp.com/advisory/ntap-20230420-0007
- https://osv.dev/vulnerability/GHSA-564r-hj7v-mcr5
- https://spring.io/security/cve-2023-20861
- https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1
- https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5
What are Similar Vulnerabilities to CVE-2023-20861?
Similar Vulnerabilities: CVE-2023-45588 , CVE-2023-32001 , CVE-2023-29471 , CVE-2023-27329 , CVE-2023-36665
