Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-v94h-hvhg-mf9h: Spring Framework vulnerable to denial of service

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC or Spring WebFlux
  • io.micrometer:micrometer-core is on the classpath
  • an ObservationRegistry is configured in the application to record observations

Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

ghsa
#web#dos#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-34053

Spring Framework vulnerable to denial of service

Moderate severity GitHub Reviewed Published Nov 28, 2023 to the GitHub Advisory Database • Updated Nov 28, 2023

Package

maven org.springframework:spring-webmvc (Maven)

Affected versions

>= 6.0.0, < 6.0.14

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC or Spring WebFlux
  • io.micrometer:micrometer-core is on the classpath
  • an ObservationRegistry is configured in the application to record observations

Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2023-34053
  • https://spring.io/security/cve-2023-34053
  • spring-projects/[email protected]…v6.0.14

Published to the GitHub Advisory Database

Nov 28, 2023

Last updated

Nov 28, 2023

Related news

CVE-2023-34053: CVE-2023-34053: Spring Framework server Web Observations DoS Vulnerability

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

CVE-2023-34055: CVE-2023-34055: Spring Boot server Web Observations DoS Vulnerability

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath