CVE-2023-20863: 
Java vulnerability analysis and mitigation

In Spring Framework versions prior to 5.2.24 release+, 5.3.27+, and 6.0.8+, a vulnerability was discovered that allows users to provide specially crafted SpEL (Spring Expression Language) expressions that could cause a denial-of-service (DoS) condition. The vulnerability affects Spring Framework versions 6.0.0-6.0.7, 5.3.0-5.3.26, 5.2.0.RELEASE-5.2.23.RELEASE, and older unsupported versions (Spring Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is related to improper neutralization of special elements used in an Expression Language Statement (CWE-917) and Uncontrolled Resource Consumption (CWE-400). The issue specifically involves the Spring Expression Language (SpEL) component, where certain expressions are not properly restricted in size (NVD).

When successfully exploited, this vulnerability can lead to a denial-of-service (DoS) condition, affecting the availability of the system. The CVSS scoring indicates high impact on availability (A:H) while maintaining no impact on confidentiality (C:N) or integrity (I:N) (Spring Advisory).

Users of affected versions should upgrade to the following patched versions: Spring Framework 6.0.8+ for 6.0.x users, 5.3.27+ for 5.3.x users, or 5.2.24.RELEASE+ for 5.2.x users. Users of older, unsupported versions should upgrade to either 6.0.8+ or 5.3.27+. No other mitigation steps are necessary (Spring Advisory).

The vulnerability was initially discovered and responsibly reported by the Google OSS-Fuzz team from Code Intelligence (Spring Advisory).