[MAVEN:GHSA-WJJR-H4WH-W6VV] Spring Framework Inefficient Regular Expression Complexity

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.

Package	Affected Version
pkg:maven/org.springframework/spring-core	>= 1.1.0, <= 2.5.6

Package	Fixed Version
pkg:maven/org.springframework/spring-core	= 3.0.0.RELEASE

ID: MAVEN:GHSA-WJJR-H4WH-W6VV
Severity: moderate
URL: https://github.com/advisories/GHSA-wjjr-h4wh-w6vv
Published: 2022-05-02T03:22:35
(2 years ago)
Modified: 2023-01-29T05:03:44
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2009-1190
			https://bugzilla.redhat.com/show_bug.cgi?id=497161
			https://exchange.xforce.ibmcloud.com/vulnerabilities/50083
			http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
			http://www.springsource.com/securityadvisory
			https://github.com/advisories/GHSA-wjjr-h4wh-w6vv

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.springframework/spring-core	org.springframework	spring-core	>= 1.1.0 <= 2.5.6
Fixed	pkg:maven/org.springframework/spring-core	org.springframework	spring-core	= 3.0.0.RELEASE

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date