Applications that parse ETags from If-Match
or If-None-Match
request headers are vulnerable to DoS attack.
org.springframework:spring-web in versions
6.1.0 through 6.1.11 6.0.0 through 6.0.22 5.3.0 through 5.3.37
Older, unsupported versions are also affected
Users of affected versions should upgrade to the corresponding fixed version. 6.1.x -> 6.1.12 6.0.x -> 6.0.23 5.3.x -> 5.3.38 No other mitigation steps are necessary.
Users of older, unsupported versions could enforce a size limit on If-Match
and If-None-Match
headers, e.g. through a Filter.