Spring Framework Inefficient Regular Expression Complexity

GHSA-wjjr-h4wh-w6vv · CVE-2009-1190

Published May 2, 2022 · Modified Dec 7, 2024

Description

Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2009-1190
WEB https://bugzilla.redhat.com/show_bug.cgi?id=497161
WEB https://exchange.xforce.ibmcloud.com/vulnerabilities/50083
WEB http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
WEB http://www.springsource.com/securityadvisory

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes