Spring Security Advisories

CVE-2023-20863: Spring Expression DoS Vulnerability

HIGH | APRIL 13, 2023 | CVE-2023-20863

In Spring Framework versions 6.0.0 - 6.0.7, 5.3.0 - 5.3.26, 5.2.0.RELEASE - 5.2.23.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

CVE-2023-20861: Spring Expression DoS Vulnerability

MEDIUM | MARCH 24, 2023 | CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

CVE-2023-20859: Insertion of Sensitive Information into Log Sourced from Failed Revocation of Tokens

MEDIUM | MARCH 20, 2023 | CVE-2023-20859

In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.

Specifically, an application is vulnerable when all of the following are true:

  • The authentication mechanism creates Batch tokens.
  • Usage of LifecycleAwareSessionManager in an imperative-only arrangement.
  • LifecycleAwareSessionManager.destroy() is called by the application or the application shutdown hook
  • The logging level for LifecycleAwareSessionManager or org.springframework.vault.authentication is set at least to WARN

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all