James Yuzawa

**Name of the Vulnerable Software and Affected Versions** Spring Boot versions 2.7.0 through 2.7.17 Spring Boot versions 3.0.0 through 3.0.12 Spring Boot versions 3.1.0 through 3.1.5 **Description** The issue is related to the Spring Boot framework, where an application can be vulnerable to a denial-of-service (DoS) condition when a user provides specially crafted HTTP requests. This occurs when the application uses Spring MVC or Spring WebFlux and has `org.springframework.boot:spring-boot-actuator` on the classpath. The vulnerability is associated with incorrect resource cleanup or release. **Recommendations** For Spring Boot versions 2.7.0 through 2.7.17, update to a version outside of this range to resolve the issue. For Spring Boot versions 3.0.0 through 3.0.12, update to a version outside of this range to resolve the issue. For Spring Boot versions 3.1.0 through 3.1.5, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling the `org.springframework.boot:spring-boot-actuator` module until a patch is available. Restrict access to applications using Spring MVC or Spring WebFlux to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Reactor Netty HTTP Server versions 1.0.x prior to 1.0.39 Reactor Netty HTTP Server versions 1.1.x prior to 1.1.13 **Description** The issue is related to an uncontrolled resource consumption in the Reactor Netty HTTP Server, which can be exploited by a remote attacker using specially crafted HTTP requests to cause a denial-of-service (DoS) condition. This can happen if the built-in integration with Micrometer is enabled in the application. **Recommendations** For Reactor Netty HTTP Server versions 1.0.x prior to 1.0.39, update to version 1.0.39 or later to resolve the issue. For Reactor Netty HTTP Server versions 1.1.x prior to 1.1.13, update to version 1.1.13 or later to resolve the issue. As a temporary workaround, consider disabling the built-in integration with Micrometer until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Spring Framework versions 6.0.0 through 6.0.13 **Description** The issue is related to unlimited resource distribution, which can be exploited by a remote attacker to cause a denial-of-service (DoS) condition using specially crafted HTTP requests. This can happen when the application uses Spring MVC or Spring WebFlux, has io.micrometer:micrometer-core on the classpath, and an ObservationRegistry is configured to record observations. Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet these conditions. **Recommendations** For Spring Framework versions 6.0.0 through 6.0.13, consider disabling the use of Spring MVC or Spring WebFlux, or removing io.micrometer:micrometer-core from the classpath, until a patch is available. Additionally, restricting the configuration of ObservationRegistry to prevent recording observations can help minimize the risk of exploitation. Avoid using the org.springframework.boot:spring-boot-actuator dependency in Spring Boot applications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.