A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity. By exploiting this, unauthorized code can be injected into the product's processes, potentially leading to remote control and unauthorized access to sensitive user data.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

horsicq / **XMachOViewer** Public

*   Notifications
*   Fork 50
*   Star 635
    

XMachOViewer is a Mach-O viewer for Windows, Linux and MacOS

ntinfo.biz

**License**

MIT license

635 stars 50 forks Activity

Star

Notifications

*   Code
*   Issues 2
*   Pull requests
*   Discussions
*   Actions
*   Projects
*   Security
*   Insights

Additional navigation options

master

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **5** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Git stats**

*   **12,688** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

.github

Create docker-image.yml

May 24, 2021 11:42

Controls @ bde01e3

Update module: Controls 2023-11-28

November 28, 2023 00:21

Detect-It-Easy @ 361698e

Update module: Detect-It-Easy 2023-11-28

November 28, 2023 00:23

FormatDialogs @ de15ef2

Update module: FormatDialogs 2023-11-27

November 27, 2023 01:47

FormatWidgets @ e36380f

Update module: FormatWidgets 2023-11-28

November 28, 2023 00:22

Formats @ c3ce687

Update module: Formats 2023-11-28

November 28, 2023 00:22

LINUX

Fix: 2022-08-08

August 8, 2022 18:47

SpecAbstract @ 9282c42

Fix: 2023-10-04

October 4, 2023 19:31

StaticScan @ 723090f

Fix: 2023-05-23

May 23, 2023 20:34

XAboutWidget @ 8cc8adb

Fix: 2023-09-05

September 5, 2023 00:12

XArchive @ 6d85719

Update module: XArchive 2023-11-12

November 12, 2023 16:19

XCapstone @ 8c16344

Update module: XCapstone 2023-11-28

November 28, 2023 00:22

XCppfilt @ d9c2be9

Update module: XCppfilt 2023-10-18

October 18, 2023 18:34

XDEX @ 71db4b8

Fix: 2023-07-31

July 31, 2023 19:05

XDataConvertorWidget @ a776bd1

Update module: XDataConvertorWidget 2023-11-28

November 28, 2023 03:49

XDecompiler @ 3391a28

Fix: 2023-08-21

August 21, 2023 18:48

XDemangle @ c8c3172

Update module: XDemangle 2023-11-24

November 24, 2023 00:25

XDemangleWidget @ af0d823

Fix: 2023-09-29

September 29, 2023 17:36

XDisasm @ 7767f42

Fix: 2023-04-10

April 10, 2023 01:26

XDisasmView @ b81ac59

Update module: XDisasmView 2023-11-28

November 28, 2023 00:22

XDynStructs @ d67af94

Fix: 2023-03-11

March 11, 2023 22:35

XDynStructsEngine @ f90de40

Fix: 2023-03-13

March 13, 2023 05:40

XDynStructsWidget @ 2243d2a

Fix: 2023-09-11

September 11, 2023 00:08

XEntropyWidget @ 57dc917

Fix: 2023-09-25

September 25, 2023 19:09

XExtractor @ 040530e

Fix: 2023-08-04

August 4, 2023 00:19

XExtractorWidget @ 989bda3

Fix: 2023-09-25

September 25, 2023 18:34

XFileInfo @ e1535c6

Fix: 2023-09-25

September 25, 2023 18:47

XGithub @ e66b9dc

Fix: 2023-03-15

March 15, 2023 06:09

XHashWidget @ 86c77b4

Fix: 2023-09-25

September 25, 2023 19:12

XHexEdit @ 04d9067

Fix: 2023-07-27

July 27, 2023 00:30

XHexView @ 9a4b88a

Update module: XHexView 2023-11-28

November 28, 2023 00:22

XInfoDB @ df88dd6

Update module: XInfoDB 2023-11-28

November 28, 2023 00:22

XLLVMDemangler @ 9f9ca2e

Fix: 2023-03-11

March 11, 2023 23:13

XMemoryMapWidget @ ce52b89

Update module: XMemoryMapWidget 2023-11-10

November 10, 2023 00:21

XOnlineTools @ 834247c

Fix: 2023-09-25

September 25, 2023 18:44

XOptions @ 4a25fe9

Update module: XOptions 2023-11-28

November 28, 2023 00:22

XPDF @ 74f8435

Fix: 2023-08-11

August 11, 2023 00:39

XQwt @ 0a1a424

Fix: 2023-07-08

July 8, 2023 00:45

XShortcuts @ 5dc4922

Update module: XShortcuts 2023-11-25

November 25, 2023 12:11

XStyles @ 62e634b

Fix: 2023-10-02

October 2, 2023 16:22

XSymbolsWidget @ d8fe2aa

Fix: 2023-09-05

September 5, 2023 00:15

XTranslation @ a16af1d

Update module: XTranslation 2023-11-20

November 20, 2023 00:21

XUpdate @ 5c69107

Fix: 2023-04-10

April 10, 2023 21:46

XVisualizationWidget @ 1d78c38

Fix: 2023-09-25

September 25, 2023 18:38

XYara @ cb9b124

Update module: XYara 2023-10-23

October 23, 2023 18:32

archive\_widget @ 289ba6b

Fix: 2023-09-07

September 7, 2023 14:32

build\_libs

Fix: 2023-05-22

May 22, 2023 18:12

build\_tools @ 14c6d42

Update module: build\_tools 2023-11-02

November 2, 2023 18:29

die\_script @ 490a8cb

Update module: die\_script 2023-11-26

November 26, 2023 00:22

die\_widget @ 2cc7014

Update module: die\_widget 2023-11-23

November 23, 2023 08:52

docs

Format RUN.md

October 13, 2023 02:57

gui\_source

Fix: 2023-09-05

September 5, 2023 00:09

hex\_templates @ dff5b39

Fix: 2023-03-11

March 11, 2023 23:02

icons

Fix: 2022-08-08

August 8, 2022 18:47

images/thanks

Fix: 2023-09-08

September 8, 2023 00:50

mascots

Fix: 2021-05-05

May 5, 2021 18:10

nfd\_widget @ 0258f38

Update module: nfd\_widget 2023-10-17

October 17, 2023 18:52

signatures @ b8f9793

Fix: 2023-03-11

March 11, 2023 22:35

yara\_widget @ 5180c67

Update module: yara\_widget 2023-10-18

October 18, 2023 18:35

.gitmodules

Add new module

November 26, 2023 00:08

CMakeLists.txt

Fix: 2023-05-22

May 22, 2023 18:12

Dockerfile

Fix: 2021-05-24

May 24, 2021 12:04

LICENSE

Fix: 2023-02-18

February 18, 2023 00:08

README.md

Update README.md

October 16, 2023 22:03

THANKS.md

Fix: 2023-09-08

September 8, 2023 00:50

build.pri

Fix: 2023-03-14

March 14, 2023 08:11

build\_dpkg.sh

Fix: 2022-08-12

August 12, 2022 16:39

build\_mac.sh

Fix: 2022-08-05

August 5, 2022 15:28

build\_msvc\_win32.bat

Fix: 2021-09-28

September 28, 2021 19:06

build\_msvc\_win64.bat

Fix: 2021-09-28

September 28, 2021 19:06

build\_msvc\_winxp.bat

Fix: 2021-09-28

September 28, 2021 19:06

build\_win32.bat

Fix: 2021-05-21

May 21, 2021 17:58

build\_win64.bat

Fix: 2021-05-21

May 21, 2021 17:58

build\_win\_generic.cmd

Fix: 2022-08-05

August 5, 2022 15:28

changelog.txt

Fix: 2022-07-19

July 19, 2022 18:10

configure

Fix: 2022-08-02

August 2, 2022 16:30

configure.ac

Fix: 2022-08-02

August 2, 2022 16:30

create\_appimage.sh

Fix: 2022-08-05

August 5, 2022 18:12

global.h

Fix: 2023-04-02

April 2, 2023 13:55

install.iss

Fix: 2022-05-24

May 24, 2022 18:22

install.sh

Fix: 2022-08-05

August 5, 2022 15:28

release\_version.txt

Fix: 2022-07-19

July 19, 2022 18:10

xmachoviewer\_source.pro

Fix: 2022-01-24

January 24, 2022 18:44

MachO file viewer/editor for Windows, Linux and macOS. Features Downloads Building Usage Changelog You can help with translation! Special Thanks

**README.md**

   

**MachO file viewer/editor for Windows, Linux and macOS.****Features**

*   Heuristic scan
*   String viewer
*   Hex viewer
*   Disasm viewer(x86/64,ARM,PPC,m68k)
*   Entropy viewer
*   Hash viewer
*   Crypto search
*   Name demangling

**Downloads**

XMachOViewer can be downloaded from the releases page.

**Building**

Build instructions can be found in BUILD.md.

**Usage**

Instructions to use xmachoviewer - The GUI version can be found in RUN.md.

**Changelog**

Changelog can be found in changelog.txt.

**You can help with translation!**

Follow This link.

       

**Special Thanks**

*   PELock Software Protection & Reverse Engineering

**About**

XMachOViewer is a Mach-O viewer for Windows, Linux and MacOS

ntinfo.biz

**Topics**

reverse-engineering macho hacktoberfest macho-parser osx-application machoexplorer machoview macho-loader macho64 hacktoberfest2023

**Resources**

Readme

**License**

MIT license

Activity

**Stars**

**635** stars

**Watchers**

**13** watching

**Forks**

**50** forks

Report repository

**Releases 5**

0.04 Latest

Aug 6, 2022

\+ 4 releases

**Sponsor this project**

Learn more about GitHub Sponsors

**Packages**

No packages published  

**Contributors 3**

*    **horsicq** Hors
*    **mdhvg** Madhav Goyal
*    **omimakhare** OMKAR MAKHARE

**Languages**

*   C++ 37.5%
*   QMake 33.1%
*   Batchfile 10.0%
*   Shell 8.0%
*   CMake 5.1%
*   M4 2.0%
*   Other 4.3%

CVE-2023-49313: GitHub - horsicq/XMachOViewer: XMachOViewer is a Mach-O viewer for Windows, Linux and MacOS

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.

**Já disponível: a Asana Intelligence se juntou à equipe com um jeito mais inteligente de trabalharSaiba mais**

Asana Home

**Navigation Instructions**Use left and right arrow keys to navigate between columns.Use up and down arrow keys to move between submenu items.Use Escape to close the menu.

*   **Por que a Asana?**
    
    *   Crie planejamentos de projetos, coordene as tarefas e cumpra todos os prazos
    *   Planeje e faça a gestão de campanhas, lançamentos e muito mais
    *   Desenvolva, expanda e agilize os processos para melhorar a eficiência
    *   Melhore a clareza, o foco e o crescimento pessoal
    *   Elabore roteiros, planeje sprints, faça a gestão dos envios e dos lançamentos
    
    **Para o seu fluxo de trabalho**
    
    *   Planeje, monitore e faça a gestão dos projetos da sua equipe do início ao fim
    *   Crie, lance e monitore as suas campanhas de marketing
    *   Projete, revise e entregue trabalhos inspiradores
    *   Acompanhamento de solicitações
        
        Monitore, priorize e processe as solicitações das equipes
    
    *   Colabore e faça a gestão do trabalho de qualquer lugar
    *   Seja mais consciente em relação à forma como administra o seu tempo
    *   Crie com rapidez, entregue com frequência, e monitore tudo de um só lugar
    *   Veja todos os fluxos de trabalho
        
    
    **Modelos**
    
    *   Página inicial dos modelos
        
        Comece com o pé direito usando modelos elaborados para as suas necessidades
    
*   **Principais funcionalidades**
    
    *   Asana Intelligence Novidade
        
        Amplie o impacto da sua equipe com a IA para Asana
    *   Construtor de fluxo de trabalho
        
        Crie processos automatizados para coordenar as equipes
    *   Crie em poucos minutos um atraente diagrama de Gantt
    *   Acompanhe o andamento do trabalho nos quadros Kanban
    
    *   Use um calendário compartilhado para visualizar o trabalho da equipe
    *   Integrações de aplicativos
        
        Descubra como a Asana integra múltiplos aplicativos para apoiar a sua equipe
    *   Acompanhe o progresso de qualquer fluxo de trabalho em tempo real
    *   Estabeleça metas estratégicas e monitore o progresso delas em um único lugar
    
    *   Envie e faça a gestão das solicitações de trabalho em um único lugar
    *   Agilize os processos, reduza os erros e perca menos tempo com as tarefas de rotina
    *   Veja a carga de trabalho dos membros da equipe nos diversos projetos
    *   Veja todas as funcionalidades
        
    
    **Todos os planos**
    
    *   Ideal para usuários individuais e pequenas equipes que desejam gerir as suas tarefas
    *   Ideal para as equipes em crescimento que precisam monitorar o progresso dos seus projetos e cumprir prazos
    *   Ideal para as empresas que precisam gerir um portfólio de trabalhos e metas de diversos departamentos
    *   
    
*   **Aprendizagem**
    
    *   Recursos para a gestão do trabalho
        
        Conheça boas práticas, assista a webinários, obtenha insights
    *   Saiba mais sobre o que há de melhor e mais recente na Asana
    *   Explore diversas dicas, truques e sugestões para obter o máximo da Asana
    *   Inscreva-se em cursos interativos e webinários para aprender a usar a Asana
    *   Blog Nos bastidores da Asana
        
        Descubra as novidades mais recentes da Asana sobre o produto e a empresa
    
    **Conexão**
    
    *   Saiba mais sobre os próximos eventos que ocorrerão perto de você
    *   Conecte-se e aprenda com outros clientes da Asana ao redor do mundo
    *   Precisa de ajuda? Entre em contato com a equipe de Suporte da Asana
    *   Saiba mais sobre os programas dos nossos parceiros
    
    *   Descubra como desenvolver aplicativos na plataforma da Asana
    *   Asana para entidades sem fins lucrativos
        
        Obtenha mais informações e candidate-se ao nosso programa de descontos para organizações sem fins lucrativos.
    *   Asana para instituições de ensino
        
        Obtenha mais informações e candidate-se ao nosso programa de descontos para instituições de ensino.
    
    **Leituras em destaque**
    
    *   Apresentamos a Asana Intelligence:  
        a IA se juntou à equipe  
        ,DemonstraçãoAssista agora
        
    *   Promova o impacto dos funcionários: novas ferramentas para capacitar lideranças resilientes,RelatórioLeia mais
        
    *   Anatomia do trabalho: Índice global de 2023,RelatórioLeia mais
        
    
*   Enterprise
*   Preços

*   Fale com Vendas
*   Ver uma demonstração
*   Baixar o aplicativo

Aplicativo móvel

**Asana para iOS**

Aplicativo móvel

**Asana para Android**

Aplicativo móvel

**Asana para iOS**

Aplicativo móvel

**Asana para Android**

**Recursos na ponta dos seus dedos.**

O seu trabalho é sincronizado em tempo real na Web, no celular e nos aplicativos para computador. Planeje o seu dia. Compartilhe as ideias. Mantenha a equipe bem informada à distância. E tudo isso, desde qualquer dispositivo.

*   Minhas tarefas
*   Conversas
*   Caixa de entrada
*   Portfólios
*   Projetos
*   Adição rápida
*   Buscas
*   Metas

Perguntas frequentes

**Ficou com dúvidas? Nós temos as respostas.**

**Como posso baixar o aplicativo móvel da Asana?**

Sim. Faça download da Asana para iPhone e iPad na App Store. Faça download da Asana para celulares Android na Google Play Store. Recomendamos que você acesse as lojas no próprio dispositivo para ter a melhor experiência possível. Faça aqui o download da Asana para instalação em computador nas versões Mac, Windows (64-bit) ou Windows (32-bit).

**A Asana dispõe de um aplicativo instalável para computadores Mac ou Windows?**

**A Asana pode ser baixada sem custo?**

Sim, todos os aplicativos Asana podem ser baixados gratuitamente.

CVE-2023-49314: Baixar o aplicativo Asana para dispositivos móveis e computador • Asana

Improperly calculated effective permissions in M-Files Server versions 23.9 and 23.10 and 23.11 before 23.11.13168.7 could produce a faulty result if an object used a specific configuration of metadata-driven permissions.


CVE-2023-6239

Amazzing Filter for Prestashop through 3.2.2 is vulnerable to Cross-Site Scripting (XSS).

CVE-2023-48042

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-5981: cve-details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Univera Computer System Panorama allows Command Injection.This issue affects Panorama: before 8.0.



CVE-2023-6201

A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the 'localidad' parameter to inject a custom JavaScript payload and partially take over another user's browser session, due to the lack of proper sanitisation of the 'localidad' field on the /users/editmy page.

Affected Resources

Alumne LMS, version 4.0.0.1.08.

Description

INCIBE has coordinated the publication of a vulnerability affecting the e-learning platform Alumne LMS in its version 4.0.0.1.08, which has been discovered by Ignacio Lis Malagón.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

*   CVE-2023-6359: CVSS v3.1: 5.4 | CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CWE-79.

Solution

The vulnerability has been fixed in Alumne LMS version 4.0.0.1.44.

Detail

*   **CVE-2023-6359**: a Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the 'localidad' parameter to inject a custom JavaScript payload and partially take over another user's browser session, due to the lack of proper sanitisation of the 'localidad' field on the _/users/editmy_ page.

CVE-2023-6359: Cross-Site Scripting in Alumne LMS

IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection.  A remote attacker could execute malicious commands due to improper validation of csv file contents.  IBM X-Force ID:  265262.

  

**Summary**

IBM Security Guardium has addressed this vulnerability in an update.

**Vulnerability Details**

**CVEID:**   CVE-2023-42004  
**DESCRIPTION:**   IBM Security Guardium is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents.  
CVSS Base score: 8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265262 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Guardium

11.3

IBM Security Guardium

11.4

IBM Security Guardium

11.5

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

27 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.3, 11.4, 11.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2023-42004: IBM Security Guardium is affected by a CSV Injection vulnerability (CVE-2023-42004)

[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]

CVE-2023-6151

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  *  the application uses Spring MVC or Spring WebFlux
  *  org.springframework.boot:spring-boot-actuator is on the classpath





**Description**

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

*   the application uses Spring MVC or Spring WebFlux
*   org.springframework.boot:spring-boot-actuator is on the classpath

**Affected Spring Products and Versions**

Spring Boot

*   2.7.0 to 2.7.17
*   3.0.0 to 3.0.12
*   3.1.0 to 3.1.5

And older unsupported versions.

Spring Boot 3.x versions are also affected by CVE-2023-34053, which is a similar issue in Spring Framework. Spring Boot 3.0.13 and 3.1.6 releases upgrade Spring Framework to the relevant version.

**Mitigation**

Users of affected versions should apply the following mitigation.

*   pre-2.7.x users should upgrade to 2.7.18.
*   Spring Boot 2.7.x users should upgrade to 2.7.18.
*   Spring Boot 3.0.x users should upgrade to 3.0.13.
*   Spring Boot 3.1.x users should upgrade to 3.1.6.

No other steps are necessary.

As a temporary workaround, Spring Boot users can choose to disable web metrics with the following property: management.metrics.enable.http.server.requests=false

**Credit**

The issue was identified and responsibly reported by James Yuzawa.

**References**

*   https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1

Source

CVE