GHSA-v94h-hvhg-mf9h: Spring Framework vulnerable to denial of service

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-34053

Spring Framework vulnerable to denial of service

Moderate severity GitHub Reviewed Published Nov 28, 2023 to the GitHub Advisory Database • Updated Nov 28, 2023

Package

maven org.springframework:spring-webmvc (Maven)

Affected versions

>= 6.0.0, < 6.0.14

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

• the application uses Spring MVC or Spring WebFlux
• io.micrometer:micrometer-core is on the classpath
• an ObservationRegistry is configured in the application to record observations

Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-34053
• https://spring.io/security/cve-2023-34053
• spring-projects/[email protected]…v6.0.14

Published to the GitHub Advisory Database

Nov 28, 2023

Last updated

Nov 28, 2023