Fluid Attacks Database

Description

Allocation of Resources Without Limits or Throttling in Spring Framework In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0.RELEASE - 5.2.19.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-expression	>=5.3.0 <5.3.17 \|\| >=0 <5.2.20.release	5.3.17, 5.2.20.release
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-core	>=5.2.0 <5.2.20 \|\| >=5.3.0 <5.3.17	5.2.20.release, 5.3.17
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-webmvc	>=5.2.0 <5.2.20 \|\| >=5.3.0 <5.3.17	5.2.20.release, 5.3.17
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-

Aliases

1. CVE-2022-229502. NVD-2022-229503. OSV-DEBIAN-2022-229504. OSV-2022-229505. GHSA-558x-2xjg-62326. GCVE-2022-229507. SECURITY-TRACKER-CVE-2022-229508. TANZU-cve-2022-22950

References

1. https://github.com/spring-projects/spring-framework/issues/281452. https://github.com/spring-projects/spring-framework/issues/282573. https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c114. https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE5. https://github.com/spring-projects/spring-framework/releases/tag/v5.3.176. https://tanzu.vmware.com/security/cve-2022-22950