CVE-2024-38808: 
Java vulnerability analysis and mitigation

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, a vulnerability has been identified where users can provide specially crafted Spring Expression Language (SpEL) expressions that may cause a denial of service (DoS) condition. The vulnerability was disclosed on August 14, 2024, and affects applications that evaluate user-supplied SpEL expressions (Spring Security).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L. The vulnerability is related to the allocation of resources without limits or throttling (CWE-770). The issue specifically manifests when applications evaluate user-supplied SpEL expressions, potentially leading to uncontrolled CPU usage (NVD, Spring Security).

When successfully exploited, this vulnerability can lead to a denial of service (DoS) condition, potentially affecting the availability of the application. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity (Spring Security).

Users of affected versions should upgrade to Spring Framework version 5.3.39 or later, or version 6.0+. For those unable to upgrade immediately, it is recommended to avoid the evaluation of user-supplied SpEL expressions when possible. If evaluation is necessary, user-supplied SpEL expressions should be evaluated with a SimpleEvaluationContext in read-only mode. Commercial customers using Spring Boot 2.7, 3.0, or 3.1 can utilize Spring Boot Hotfix releases 2.7.21.1, 3.0.16.1, and 3.1.12.1 (Spring Blog).