Fluid Attacks Database

Description

Spring Boot Actuator denial of service vulnerability In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

the application uses Spring MVC or Spring WebFlux

org.springframework.boot:spring-boot-actuator is on the classpath

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework.boot:spring-boot-actuator	>=0 <2.7.18 \|\| >=3.0.0 <3.0.13 \|\| >=3.1.0 <3.1.6	2.7.18, 3.0.13, 3.1.6
maven	org.springframework.boot:spring-boot	>=0 <2.7.18 \|\| >=3.0.0 <3.0.13 \|\| >=3.1.0 <3.1.6	2.7.18, 3.0.13, 3.1.6

Aliases

1. CVE-2023-340552. NVD-2023-340553. OSV-2023-340554. GHSA-jjfh-589g-3hjx5. GCVE-2023-340556. SPRING-cve-2023-34055

References

1. https://github.com/spring-projects/spring-boot/commit/5490e73922b37a7f0bdde43eb318cb1038b45d602. https://security.netapp.com/advisory/ntap-20231221-00103. https://spring.io/security/cve-2023-34055

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.