CVE-2024-22233Uncontrolled Resource Consumption in Spring Framework

CWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input Validation8 documents7 sources
Severity
7.5HIGHNVD
GHSA3.1
EPSS
1.5%
top 18.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Spring FrameworkVmware Spring Framework
Timeline
PublishedJan 22
Latest updateMay 16

Description

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependen

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5spring/spring_framework6.0.15, 6.1.2+1
NVDvmware/spring_framework6.0.15, 6.1.2+1

🔴Vulnerability Details

4
GHSA
Spring Framework DataBinder Case Sensitive Match Exception2025-05-16
OSV
Spring Framework server Web DoS Vulnerability2024-01-22
CVEList
CVE-2024-22233: Spring Framework server Web DoS Vulnerability2024-01-22
GHSA
Spring Framework server Web DoS Vulnerability2024-01-22

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Risk Matrix: Third Party (Spring Framework) — CVE-2024-222332024-04-15
Red Hat
spring-boot: Crafted HTTP requests may lead to debial-of-service (DOS)2024-01-22
Debian
CVE-2024-22233: libspring-java - In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to prov...2024
CVE-2024-22233 — Uncontrolled Resource Consumption | cvebase