CVE-2023-34055

Name of the Vulnerable Software and Affected Versions Spring Boot versions 2.7.0 through 2.7.17 Spring Boot versions 3.0.0 through 3.0.12 Spring Boot versions 3.1.0 through 3.1.5

Description The issue is related to the Spring Boot framework, where an application can be vulnerable to a denial-of-service (DoS) condition when a user provides specially crafted HTTP requests. This occurs when the application uses Spring MVC or Spring WebFlux and has org.springframework.boot:spring-boot-actuator on the classpath. The vulnerability is associated with incorrect resource cleanup or release.

Recommendations For Spring Boot versions 2.7.0 through 2.7.17, update to a version outside of this range to resolve the issue. For Spring Boot versions 3.0.0 through 3.0.12, update to a version outside of this range to resolve the issue. For Spring Boot versions 3.1.0 through 3.1.5, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling the org.springframework.boot:spring-boot-actuator module until a patch is available. Restrict access to applications using Spring MVC or Spring WebFlux to minimize the risk of exploitation.