CVE-2023-34053

CWE-400Uncontrolled Resource Consumption10 documents7 sources
Severity
7.5HIGH
EPSS
0.6%
top 30.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Spring Spring FrameworkVmware Spring Framework
Timeline
PublishedNov 28
Latest updateOct 15

Description

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.b

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

CVEListV5spring/spring_framework6.0.06.0.14
NVDvmware/spring_framework6.0.06.0.14
Mavenorg.springframework:spring-webmvc6.0.06.0.14

🔴Vulnerability Details

4
OSV
Spring Framework vulnerable to denial of service2023-11-28
OSV
CVE-2023-34053: In Spring Framework versions 62023-11-28
CVEList
Spring Framework server Web Observations DoS Vulnerability2023-11-28
GHSA
Spring Framework vulnerable to denial of service2023-11-28

📋Vendor Advisories

5
Oracle
Oracle Oracle Retail Applications Risk Matrix: Foundation (Spring Framework) — CVE-2023-340532025-10-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Spring Framework) — CVE-2023-340532024-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Third Party (Spring Framework) — CVE-2023-340532024-01-15
Red Hat
springframework: io.micrometer: micrometer-core classpath vulnerable to denial of service2023-11-27
Debian
CVE-2023-34053: libspring-java - In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provid...2023