Spring Security Advisories

CVE-2024-22236: local information disclosure via temporary directory created with unsafe permissions

LOW | JANUARY 30, 2024 | CVE-2024-22236

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

CVE-2024-22233: Spring Framework server Web DoS Vulnerability

HIGH | JANUARY 22, 2024 | CVE-2024-22233

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC
  • Spring Security 6.1.6+ or 6.2.1+ is on the classpath

CVE-2023-34053: Spring Framework server Web Observations DoS Vulnerability

MEDIUM | NOVEMBER 27, 2023 | CVE-2023-34053

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC or Spring WebFlux
  • io.micrometer:micrometer-core is on the classpath
  • an ObservationRegistry is configured in the application to record observations

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all