GHSA-9cmq-m9j5-mvww

Suggest an improvement
Source
https://github.com/advisories/GHSA-9cmq-m9j5-mvww
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-9cmq-m9j5-mvww/GHSA-9cmq-m9j5-mvww.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9cmq-m9j5-mvww
Aliases
Related
Published
2024-08-20T09:30:28Z
Modified
2024-08-20T20:28:57.244401Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS Calculator
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Spring Framework vulnerable to Denial of Service
Details

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Older, unsupported versions are also affected.

Specifically, an application is vulnerable when the following is true:

  • The application evaluates user-supplied SpEL expressions.
References

Affected packages

Maven / org.springframework:spring-expression

Package

Name
org.springframework:spring-expression
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-expression

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.3.39

Affected versions

3.*

3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE
3.2.8.RELEASE
3.2.9.RELEASE
3.2.10.RELEASE
3.2.11.RELEASE
3.2.12.RELEASE
3.2.13.RELEASE
3.2.14.RELEASE
3.2.15.RELEASE
3.2.16.RELEASE
3.2.17.RELEASE
3.2.18.RELEASE

4.*

4.0.0.RELEASE
4.0.1.RELEASE
4.0.2.RELEASE
4.0.3.RELEASE
4.0.4.RELEASE
4.0.5.RELEASE
4.0.6.RELEASE
4.0.7.RELEASE
4.0.8.RELEASE
4.0.9.RELEASE
4.1.0.RELEASE
4.1.1.RELEASE
4.1.2.RELEASE
4.1.3.RELEASE
4.1.4.RELEASE
4.1.5.RELEASE
4.1.6.RELEASE
4.1.7.RELEASE
4.1.8.RELEASE
4.1.9.RELEASE
4.2.0.RELEASE
4.2.1.RELEASE
4.2.2.RELEASE
4.2.3.RELEASE
4.2.4.RELEASE
4.2.5.RELEASE
4.2.6.RELEASE
4.2.7.RELEASE
4.2.8.RELEASE
4.2.9.RELEASE
4.3.0.RELEASE
4.3.1.RELEASE
4.3.2.RELEASE
4.3.3.RELEASE
4.3.4.RELEASE
4.3.5.RELEASE
4.3.6.RELEASE
4.3.7.RELEASE
4.3.8.RELEASE
4.3.9.RELEASE
4.3.10.RELEASE
4.3.11.RELEASE
4.3.12.RELEASE
4.3.13.RELEASE
4.3.14.RELEASE
4.3.15.RELEASE
4.3.16.RELEASE
4.3.17.RELEASE
4.3.18.RELEASE
4.3.19.RELEASE
4.3.20.RELEASE
4.3.21.RELEASE
4.3.22.RELEASE
4.3.23.RELEASE
4.3.24.RELEASE
4.3.25.RELEASE
4.3.26.RELEASE
4.3.27.RELEASE
4.3.28.RELEASE
4.3.29.RELEASE
4.3.30.RELEASE

5.*

5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.0.4.RELEASE
5.0.5.RELEASE
5.0.6.RELEASE
5.0.7.RELEASE
5.0.8.RELEASE
5.0.9.RELEASE
5.0.10.RELEASE
5.0.11.RELEASE
5.0.12.RELEASE
5.0.13.RELEASE
5.0.14.RELEASE
5.0.15.RELEASE
5.0.16.RELEASE
5.0.17.RELEASE
5.0.18.RELEASE
5.0.19.RELEASE
5.0.20.RELEASE
5.1.0.RELEASE
5.1.1.RELEASE
5.1.2.RELEASE
5.1.3.RELEASE
5.1.4.RELEASE
5.1.5.RELEASE
5.1.6.RELEASE
5.1.7.RELEASE
5.1.8.RELEASE
5.1.9.RELEASE
5.1.10.RELEASE
5.1.11.RELEASE
5.1.12.RELEASE
5.1.13.RELEASE
5.1.14.RELEASE
5.1.15.RELEASE
5.1.16.RELEASE
5.1.17.RELEASE
5.1.18.RELEASE
5.1.19.RELEASE
5.1.20.RELEASE
5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.2.3.RELEASE
5.2.4.RELEASE
5.2.5.RELEASE
5.2.6.RELEASE
5.2.7.RELEASE
5.2.8.RELEASE
5.2.9.RELEASE
5.2.10.RELEASE
5.2.11.RELEASE
5.2.12.RELEASE
5.2.13.RELEASE
5.2.14.RELEASE
5.2.15.RELEASE
5.2.16.RELEASE
5.2.17.RELEASE
5.2.18.RELEASE
5.2.19.RELEASE
5.2.20.RELEASE
5.2.21.RELEASE
5.2.22.RELEASE
5.2.23.RELEASE
5.2.24.RELEASE
5.2.25.RELEASE
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
5.3.15
5.3.16
5.3.17
5.3.18
5.3.19
5.3.20
5.3.21
5.3.22
5.3.23
5.3.24
5.3.25
5.3.26
5.3.27
5.3.28
5.3.29
5.3.30
5.3.31
5.3.32
5.3.33
5.3.34
5.3.35
5.3.36
5.3.37
5.3.38