In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
* the application uses Spring MVC or Spring WebFlux
* io.micrometer:micrometer-core is on the classpath
* an ObservationRegistry is configured in the application to record observations
Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.
References
Link | Resource |
---|---|
https://security.netapp.com/advisory/ntap-20231214-0007/ | |
https://spring.io/security/cve-2023-34053 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: vmware
Published: 2023-11-28T08:10:37.217Z
Updated: 2023-11-28T08:10:37.217Z
Reserved: 2023-05-25T17:21:56.203Z
Link: CVE-2023-34053
JSON object: View
NVD Information
Status : Modified
Published: 2023-11-28T09:15:06.960
Modified: 2023-12-14T10:15:07.520
Link: CVE-2023-34053
JSON object: View
Redhat Information
No data.
CWE