CVE-2023-20863
Denial-of-Service vulnerability in spring-expression (Maven)
What is CVE-2023-20863 About?
This is a Denial-of-Service (DoS) vulnerability in specific versions of Spring Framework where a specially crafted Spring Expression Language (SpEL) expression can cause a DoS condition. The impact is a resource exhaustion leading to system unresponsiveness. Exploiting this vulnerability is moderately complex, requiring knowledge of SpEL and its potential for resource exhaustion.
Affected Software
- org.springframework:spring-expression
- <5.2.24.RELEASE
- >5.3.0, <5.3.27
- >6.0.0, <6.0.8
Technical Details
The vulnerability exists in Spring Framework versions prior to 5.2.24.release+, 5.3.27+, and 6.0.8+. It allows an attacker to provide a specially crafted Spring Expression Language (SpEL) expression. These malicious SpEL expressions are designed to consume excessive computational resources, for instance, through deeply nested operations, recursive evaluations, or extensive string manipulations that are disproportionately expensive to compute. When the Spring Framework attempts to parse or evaluate such an expression, it leads to a significant increase in CPU usage or memory consumption, eventually causing the application to become unresponsive or crash, resulting in a Denial-of-Service condition.
What is the Impact of CVE-2023-20863?
Successful exploitation may allow attackers to cause the system to become unresponsive or crash due to excessive resource consumption, leading to a denial of service.
What is the Exploitability of CVE-2023-20863?
Exploitation of this Denial-of-Service vulnerability requires the ability to inject or influence a String interpreted as a Spring Expression Language (SpEL) expression. The complexity is moderate, as it requires specific knowledge of SpEL syntax and how to craft expressions that trigger resource exhaustion. Authentication requirements depend on whether the SpEL expression input point is authenticated; if it processes unauthenticated user input, the attack can be unauthenticated and remote. No special privileges beyond the ability to provide input are generally required. Risk factors are high in applications that expose SpEL evaluation to untrusted input sources without proper validation or sandboxing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-20863?
About the Fix from Resolved Security
The patch introduces a maximum permitted length (10,000 characters) for SpEL expressions and throws an exception if this threshold is exceeded, adding a specific error message for this violation. This mitigates CVE-2023-20863 by preventing attackers from submitting excessively large or complex SpEL expressions that could result in denial of service (resource exhaustion) vulnerabilities.
Available Upgrade Options
- org.springframework:spring-expression
- <5.2.24.RELEASE → Upgrade to 5.2.24.RELEASE
- org.springframework:spring-expression
- >5.3.0, <5.3.27 → Upgrade to 5.3.27
- org.springframework:spring-expression
- >6.0.0, <6.0.8 → Upgrade to 6.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-20863
- https://security.netapp.com/advisory/ntap-20240524-0015
- https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15
- https://spring.io/security/cve-2023-20863
- https://github.com/spring-projects/spring-framework
- https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e
- https://osv.dev/vulnerability/GHSA-wxqc-pxw9-g2p8
- https://security.netapp.com/advisory/ntap-20240524-0015/
- https://spring.io/security/cve-2023-20863
- https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f
What are Similar Vulnerabilities to CVE-2023-20863?
Similar Vulnerabilities: CVE-2018-1270 , CVE-2017-4971 , CVE-2016-5007 , CVE-2016-4977 , CVE-2016-5696
