Code Intelligence Uncovers Another Expression Denial of Service Vulnerability in Spring - CVE-2023-20863
Bonn, Germany, April 14th, 2023 -As part of Code Intelligence’s ongoing efforts to improve the security of open-source software it continuously tests open-source projects with its JVM fuzzing engine, Jazzer, in Google’s OSS-Fuzz. Today Code Intelligence uncovered a Denial of Service (DoS) vulnerability in the Spring Framework (CVE-2023-20863), which has a CVSS score of 7.5. This is the second DoS vulnerability in Spring that Code Intelligence has found in the last few weeks, the previous one being (CVE-2023-20861).
Spring is one of the most widely used frameworks for developing web applications in Java. As a result of this vulnerability, applications that rely on vulnerable versions of Spring are at a higher risk of severe availability issues.
More details on the vulnerability, along with affected versions and mitigation steps, can be found in Code Intelligence’s blog on the topic.
Sources:
- https://www.code-intelligence.com/blog/expression-dos-spring-part-2
- https://spring.io/security/cve-2023-20863
- https://cwe.mitre.org/data/definitions/7
- https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O
About Code Intelligence:
Founded in 2018 by Sergej Dechand, Khaled Yakdan, and Matthew Smith, Code Intelligence offers an automated software security platform that helps developers ship more secure code. The startup strongly focuses on securing memory-safe languages widely used in the industry. To this end, it develops and maintains the leading fuzzing engines for Java and JavaScript. It also contributed several improvements to fuzzing in Golang, which have been integrated into the language, benefiting all Go developers. Code Intelligence is trusted by Google, Deutsche Telekom, Bosch, and CARIAD, amongst others.
Media Kit
Media Contact