We have released Spring Framework 5.3.17 to address the following CVE report.
Please review the information in the CVE report and upgrade immediately.
Spring Boot users should upgrade to 2.5.11 or 2.6.5.
CVE-2022-22950: Spring Expression DoS Vulnerability
-
Severity
Medium
-
Vendor
Spring by VMware
-
Description
In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
-
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Spring Framework
- 5.3.0 to 5.3.16
- Older, unsupported versions are also affected
-
Mitigation
Users of affected versions should upgrade to 5.3.17+. No other steps are necessary. Releases that have fixed this issue include:
- Spring Framework
- 5.3.17+
- Spring Framework
-
Credit
This vulnerability was initially discovered and responsibly reported by 4ra1n.
-
References
-
History
2022-03-28: Initial vulnerability report published.
Reference