CVE-2023-34053

Name of the Vulnerable Software and Affected Versions Spring Framework versions 6.0.0 through 6.0.13

Description The issue is related to unlimited resource distribution, which can be exploited by a remote attacker to cause a denial-of-service (DoS) condition using specially crafted HTTP requests. This can happen when the application uses Spring MVC or Spring WebFlux, has io.micrometer:micrometer-core on the classpath, and an ObservationRegistry is configured to record observations. Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet these conditions.

Recommendations For Spring Framework versions 6.0.0 through 6.0.13, consider disabling the use of Spring MVC or Spring WebFlux, or removing io.micrometer:micrometer-core from the classpath, until a patch is available. Additionally, restricting the configuration of ObservationRegistry to prevent recording observations can help minimize the risk of exploitation. Avoid using the org.springframework.boot:spring-boot-actuator dependency in Spring Boot applications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.