CVE report published for Spring Framework

We have released Spring Framework 5.3.17 to address the following CVE report.

• CVE-2022-22950: Spring Expression DoS Vulnerability

Please review the information in the CVE report and upgrade immediately.

Spring Boot users should upgrade to 2.5.11 or 2.6.5.

CVE-2022-22950: Spring Expression DoS Vulnerability

• Severity

  Medium

• Vendor

  Spring by VMware

• Description

  In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

• Affected VMware Products and Versions

  Severity is medium unless otherwise noted.

  • Spring Framework
  • 5.3.0 to 5.3.16
  • Older, unsupported versions are also affected

• Mitigation

  Users of affected versions should upgrade to 5.3.17+. No other steps are necessary. Releases that have fixed this issue include:

  • Spring Framework
    • 5.3.17+

• Credit

  This vulnerability was initially discovered and responsibly reported by 4ra1n.

• References

  • https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
  • https://cwe.mitre.org/data/definitions/770.html

• History

  2022-03-28: Initial vulnerability report published.

Reference

• https://spring.io/blog/2022/03/28/cve-report-published-for-spring-framework
• https://tanzu.vmware.com/security/cve-2022-22950