QID 376642
Date Published: 2022-06-06
QID 376642: Spring Framework Denial of Service (DoS) Data Binding Vulnerability
The vulnerability exists in the Spring Framework, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Vulnerable Versions:
Spring framework versions 5.3.0 to 5.3.19, 5.2.0 to 5.2.21, and older are vulnerable.
QID Detection: (Authenticated) - Linux
Detection logic executes locate -b -e -r '^spring\-core.*\.jar$' command, ls -l /proc/*/fd | grep -Eo '\S+\/spring\S+jar' | uniq 2> /dev/null and checks if the spring-core-*.jar present on the system.
QID Detection: (Authenticated) - Windows
On Windows system, the QID identifies the vulnerable instances of Spring via WMI to check spring-core is included in the running processes via command-line
Successful exploitation of this vulnerability may allow a privileged attacker to execute a specially crafted SpEL expression that may cause a denial of service condition.
Customers are advised to visit Spring Framework Advisory 70Spring Framework Advisory 71 for more information on this.
- Spring Framework Advisory 70 -
tanzu.vmware.com/security/cve-2022-22970 - Spring Framework Advisory 71 -
tanzu.vmware.com/security/cve-2022-22971
CVEs related to QID 376642
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Spring Framework Advisory 70 |
tanzu.vmware.com/security/cve-2022-22970 |
||
| Spring Framework Advisory 71 |
tanzu.vmware.com/security/cve-2022-22971 |