Automated software security company Code Intelligence has recently discovered a Denial of Service (DoS) vulnerability (CVE-2023-20863) in the Spring Framework. This is the second DoS vulnerability that Code Intelligence has found in the Spring Frameworkover the past few weeks. 

The previous finding in Spring was CVE-2023-20861, which has a CVSS score of 5.3, while the new finding has a higher score of 7.5. The CVSS scoring system is used to determine the severity of computer system security vulnerabilities. 

The vulnerability was uncovered through the company’s efforts to improve the security of open-source software by testing projects with its JVM fuzzing engine, Jazzer, in Google’s OSS-Fuzz.

Due to this vulnerability, applications that rely on vulnerable versions of Spring are at a high risk of Server availability issues. The affected versions are:

  • 6.0.0 to 6.0.7
  • 5.3.0 to 5.3.26
  • 5.2.0 to 5.2.23.RELEASE 

According to Code Intelligence, fixes have been issued to address the CVE. These involve putting limit checks in place on the size of repeated text as well as the length of regular expressions used in the matches operator. 

Impacted users have been advised to upgrade to a newer version that includes these fixes. Users of 6.0.x should upgrade to 6.0.8+, users of 5.3.x should upgrade to 5.3.27+, and users of 5.2.x should upgrade to 5.2.24.RELEASE+.

For more information, visit the website.