CVE-2023-20863

MEDIUM

Vmware Spring Framework < 5.2.24 - Denial of Service

Title source: rule

Description

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

References (2)

[Vendor Advisory] https://spring.io/security/cve-2023-20863

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240524-0015/

Scores

CVSS v3 6.5

EPSS 0.0118

EPSS Percentile 78.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-917 CWE-400

Status published

Products (2)

org.springframework/spring-expression 6.0.0 - 6.0.8Maven

vmware/spring_framework 5.2.0 - 5.2.24

Published Apr 13, 2023

Tracked Since Feb 18, 2026