CVE-2023-34055

CWE-400 — Uncontrolled Resource Consumption9 documents6 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 48.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Boot Vmware Spring Boot

Timeline

PublishedNov 28

Latest updateOct 15

Description

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.springframework.boot:spring-boot-actuator3.0.0 — 3.0.13+2

▶CVEListV5spring/spring_boot2.7.0 — 2.7.18+3

▶NVDvmware/spring_boot2.7.0 — 2.7.17+2

🔴Vulnerability Details

OSV

Spring Boot Actuator denial of service vulnerability↗2023-11-28

▶

CVEList

Spring Boot server Web Observations DoS Vulnerability↗2023-11-28

▶

GHSA

Spring Boot Actuator denial of service vulnerability↗2023-11-28

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Reports (Spring Boot) — CVE-2023-34055↗2024-10-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Installer (Spring Boot) — CVE-2023-34055↗2024-07-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: General (Spring Boot) — CVE-2023-34055↗2024-04-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Configuration (Spring Boot) — CVE-2023-34055↗2024-01-15

▶

Red Hat

spring-boot: org.springframework.boot: spring-boot-actuator class vulnerable to denial of service↗2023-11-27

▶