Описание
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true:
- The application evaluates user-supplied SpEL expressions.
A flaw was found in the Spring framework package. A maliciously crafted Spring Expression Language (SePL) may trigger uncontrolled CPU usage, leading to a denial of service in the application consuming it. To be considered vulnerable, one application has to evaluate user-supplied SpEL expressions.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| AMQ Clients | org.springframework/spring-expression | Not affected | ||
| A-MQ Clients 2 | org.springframework/spring-expression | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | org.springframework/spring-expression | Not affected | ||
| Red Hat AMQ Broker 7 | org.springframework/spring-expression | Not affected | ||
| Red Hat build of Apache Camel 4 for Quarkus 3 | org.springframework/spring-expression | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | org.springframework/spring-expression | Out of support scope | ||
| Red Hat build of Apache Camel - HawtIO 4 | org.springframework/spring-expression | Fix deferred | ||
| Red Hat Build of Keycloak | org.springframework/spring-expression | Not affected | ||
| Red Hat build of OptaPlanner 8 | org.springframework/spring-expression | Will not fix | ||
| Red Hat build of Quarkus | org.springframework/spring-expression | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported vers ...
Уязвимость программной платформы Spring Framework, связанная с ошибками освобождения ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
5.9 Medium
CVSS3