VMware offers training and certification to turbo-charge your progress.Learn more
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
org.springframework.boot:spring-boot-actuator is on the classpath
And older unsupported versions.
Spring Boot 3.x versions are also affected by CVE-2023-34053, which is a similar issue in Spring Framework. Spring Boot 3.0.13 and 3.1.6 releases upgrade Spring Framework to the relevant version.
Users of affected versions should apply the following mitigation.
No other steps are necessary.
As a temporary workaround, Spring Boot users can choose to disable web metrics with the following property:
The issue was identified and responsibly reported by James Yuzawa.