CVE-2023-34053

2023-11-2809:15:06

Debian Security Bug Tracker

security-tracker.debian.org

spring framework

denial-of-service

http requests

spring mvc

spring webflux

micrometer-core

observationregistry

spring boot

spring-boot-actuator

unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

16.2%

JSON

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

OSVersionArchitecturePackageVersionFilename
Debian12alllibspring-java< 4.3.30-2libspring-java_4.3.30-2_all.deb
Debian11alllibspring-java< 4.3.30-1libspring-java_4.3.30-1_all.deb
Debian999alllibspring-java< 4.3.30-2libspring-java_4.3.30-2_all.deb
Debian13alllibspring-java< 4.3.30-2libspring-java_4.3.30-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	libspring-java	< 4.3.30-2	libspring-java_4.3.30-2_all.deb
Debian	11	all	libspring-java	< 4.3.30-1	libspring-java_4.3.30-1_all.deb
Debian	999	all	libspring-java	< 4.3.30-2	libspring-java_4.3.30-2_all.deb
Debian	13	all	libspring-java	< 4.3.30-2	libspring-java_4.3.30-2_all.deb