5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.004 Low
EPSS
Percentile
75.2%
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions
4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch
provide support for range requests when serving static resources through
the ResourceHttpRequestHandler, or starting in 5.0 when an annotated
controller returns an org.springframework.core.io.Resource. A malicious
user (or attacker) can add a range header with a high number of ranges, or
with wide ranges that overlap, or both, for a denial of service attack.
This vulnerability affects applications that depend on either spring-webmvc
or spring-webflux. Such applications must also have a registration for
serving static resources (e.g. JS, CSS, images, and others), or have an
annotated controller that returns an org.springframework.core.io.Resource.
Spring Boot applications that depend on spring-boot-starter-web or
spring-boot-starter-webflux are ready to serve static resources out of the
box and are therefore vulnerable.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | libspring-java | < any | UNKNOWN |
ubuntu | 16.04 | noarch | libspring-java | < any | UNKNOWN |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.004 Low
EPSS
Percentile
75.2%