CVE-2023-20861: 
Java vulnerability analysis and mitigation

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, a vulnerability was discovered that allows users to provide specially crafted SpEL (Spring Expression Language) expressions that could cause a denial-of-service (DoS) condition. The vulnerability was initially discovered and responsibly reported by the Google OSS-Fuzz team from Code Intelligence (Spring Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs low privileges, and doesn't require user interaction. The impact is limited to availability, with no impact on confidentiality or integrity (NVD).

When successfully exploited, this vulnerability can lead to a denial-of-service (DoS) condition, potentially affecting the availability of applications using the vulnerable versions of Spring Framework (NetApp Advisory).

Users of affected versions should upgrade to the following fixed versions: Spring Framework 6.0.x users should upgrade to 6.0.7 or later, 5.3.x users should upgrade to 5.3.26 or later, and 5.2.x users should upgrade to 5.2.23.RELEASE or later. Users of older, unsupported versions should upgrade to either 6.0.7+ or 5.3.26+. No additional mitigation steps are necessary (Spring Advisory).