Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-jjfh-589g-3hjx: Spring Boot denial of service vulnerability

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC or Spring WebFlux
  • org.springframework.boot:spring-boot-actuator is on the classpath
ghsa
#vulnerability#web#dos#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-34055

Spring Boot denial of service vulnerability

Moderate severity GitHub Reviewed Published Nov 28, 2023 to the GitHub Advisory Database • Updated Nov 28, 2023

Package

maven org.springframework.boot:spring-boot (Maven)

Affected versions

< 2.7.18

>= 3.0.0, < 3.0.13

>= 3.1.0, < 3.1.6

Patched versions

2.7.18

3.0.13

3.1.6

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC or Spring WebFlux
  • org.springframework.boot:spring-boot-actuator is on the classpath

References

  • https://nvd.nist.gov/vuln/detail/CVE-2023-34055
  • https://spring.io/security/cve-2023-34055

Published to the GitHub Advisory Database

Nov 28, 2023

Last updated

Nov 28, 2023

Related news

Red Hat Security Advisory 2024-3354-03

Red Hat Security Advisory 2024-3354-03 - Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include HTTP request smuggling, bypass, denial of service, deserialization, and traversal vulnerabilities.

CVE-2023-34055: CVE-2023-34055: Spring Boot server Web Observations DoS Vulnerability

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath