Description

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

• the application uses Spring MVC or Spring WebFlux
• org.springframework.boot:spring-boot-actuator is on the classpath

Affected Spring Products and Versions

Spring Boot

• 2.7.0 to 2.7.17
• 3.0.0 to 3.0.12
• 3.1.0 to 3.1.5

And older unsupported versions.

Spring Boot 3.x versions are also affected by CVE-2023-34053, which is a similar issue in Spring Framework. Spring Boot 3.0.13 and 3.1.6 releases upgrade Spring Framework to the relevant version.

Mitigation

Users of affected versions should apply the following mitigation.

• pre-2.7.x users should upgrade to 2.7.18.
• Spring Boot 2.7.x users should upgrade to 2.7.18.
• Spring Boot 3.0.x users should upgrade to 3.0.13.
• Spring Boot 3.1.x users should upgrade to 3.1.6.

No other steps are necessary.

As a temporary workaround, Spring Boot users can choose to disable web metrics with the following property: management.metrics.enable.http.server.requests=false

Credit

The issue was identified and responsibly reported by James Yuzawa.

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1