CVE-2023-20883

Name of the Vulnerable Software and Affected Versions Spring Boot versions 2.5.0 through 2.5.14 Spring Boot versions 2.6.0 through 2.6.14 Spring Boot versions 2.7.0 through 2.7.11 Spring Boot versions 3.0.0 through 3.0.6 Spring Boot older unsupported versions

Description There is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. An application is vulnerable if it has Spring MVC auto-configuration enabled, makes use of Spring Boot's welcome page support, and is deployed behind a proxy that caches 404 responses.

Recommendations For Spring Boot versions 2.5.x, upgrade to 2.5.15 or later. For Spring Boot versions 2.6.x, upgrade to 2.6.15 or later. For Spring Boot versions 2.7.x, upgrade to 2.7.12 or later. For Spring Boot versions 3.0.x, upgrade to 3.0.7 or later. For older, unsupported Spring Boot versions, upgrade to 3.0.7 or 2.7.12 or later. As a temporary workaround, consider configuring the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.