GHSA-jjfh-589g-3hjx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jjfh-589g-3hjx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-jjfh-589g-3hjx/GHSA-jjfh-589g-3hjx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jjfh-589g-3hjx
- Aliases
- Published
- 2023-11-28T09:30:27Z
- Modified
- 2025-02-13T19:36:53.095977Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Spring Boot Actuator denial of service vulnerability
- Details
-
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
- the application uses Spring MVC or Spring WebFlux
org.springframework.boot:spring-boot-actuatoris on the classpath
- Database specific
{ "github_reviewed": true, "cwe_ids": [], "nvd_published_at": "2023-11-28T09:15:07Z", "github_reviewed_at": "2023-11-28T20:53:48Z", "severity": "MODERATE" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-34055
- https://github.com/spring-projects/spring-boot/commit/5490e73922b37a7f0bdde43eb318cb1038b45d60
- https://github.com/spring-projects/spring-boot
- https://security.netapp.com/advisory/ntap-20231221-0010
- https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862
- https://spring.io/security/cve-2023-34055
Affected packages
Maven
org.springframework.boot:spring-boot-actuator
Package
- Name
- org.springframework.boot:spring-boot-actuator
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.boot/spring-boot-actuator
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.7.18
Affected versions
1.*
1.0.0.RELEASE
1.0.1.RELEASE
1.0.2.RELEASE
1.1.0.RELEASE
1.1.1.RELEASE
1.1.2.RELEASE
1.1.3.RELEASE
1.1.4.RELEASE
1.1.5.RELEASE
1.1.6.RELEASE
1.1.7.RELEASE
1.1.8.RELEASE
1.1.9.RELEASE
1.1.10.RELEASE
1.1.11.RELEASE
1.1.12.RELEASE
1.2.0.RELEASE
1.2.1.RELEASE
1.2.2.RELEASE
1.2.3.RELEASE
1.2.4.RELEASE
1.2.5.RELEASE
1.2.6.RELEASE
1.2.7.RELEASE
1.2.8.RELEASE
1.3.0.RELEASE
1.3.1.RELEASE
1.3.2.RELEASE
1.3.3.RELEASE
1.3.4.RELEASE
1.3.5.RELEASE
1.3.6.RELEASE
1.3.7.RELEASE
1.3.8.RELEASE
1.4.0.RELEASE
1.4.1.RELEASE
1.4.2.RELEASE
1.4.3.RELEASE
1.4.4.RELEASE
1.4.5.RELEASE
1.4.6.RELEASE
1.4.7.RELEASE
1.5.0.RELEASE
1.5.1.RELEASE
1.5.2.RELEASE
1.5.3.RELEASE
1.5.4.RELEASE
1.5.5.RELEASE
1.5.6.RELEASE
1.5.7.RELEASE
1.5.8.RELEASE
1.5.9.RELEASE
1.5.10.RELEASE
1.5.11.RELEASE
1.5.12.RELEASE
1.5.13.RELEASE
1.5.14.RELEASE
1.5.15.RELEASE
1.5.16.RELEASE
1.5.17.RELEASE
1.5.18.RELEASE
1.5.19.RELEASE
1.5.20.RELEASE
1.5.21.RELEASE
1.5.22.RELEASE
2.*
2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.4.RELEASE
2.0.5.RELEASE
2.0.6.RELEASE
2.0.7.RELEASE
2.0.8.RELEASE
2.0.9.RELEASE
2.1.0.RELEASE
2.1.1.RELEASE
2.1.2.RELEASE
2.1.3.RELEASE
2.1.4.RELEASE
2.1.5.RELEASE
2.1.6.RELEASE
2.1.7.RELEASE
2.1.8.RELEASE
2.1.9.RELEASE
2.1.10.RELEASE
2.1.11.RELEASE
2.1.12.RELEASE
2.1.13.RELEASE
2.1.14.RELEASE
2.1.15.RELEASE
2.1.16.RELEASE
2.1.17.RELEASE
2.1.18.RELEASE
2.2.0.RELEASE
2.2.1.RELEASE
2.2.2.RELEASE
2.2.3.RELEASE
2.2.4.RELEASE
2.2.5.RELEASE
2.2.6.RELEASE
2.2.7.RELEASE
2.2.8.RELEASE
2.2.9.RELEASE
2.2.10.RELEASE
2.2.11.RELEASE
2.2.12.RELEASE
2.2.13.RELEASE
2.3.0.RELEASE
2.3.1.RELEASE
2.3.2.RELEASE
2.3.3.RELEASE
2.3.4.RELEASE
2.3.5.RELEASE
2.3.6.RELEASE
2.3.7.RELEASE
2.3.8.RELEASE
2.3.9.RELEASE
2.3.10.RELEASE
2.3.11.RELEASE
2.3.12.RELEASE
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.4.11
2.4.12
2.4.13
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.5.9
2.5.10
2.5.11
2.5.12
2.5.13
2.5.14
2.5.15
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.7.17
org.springframework.boot:spring-boot-actuator
Package
- Name
- org.springframework.boot:spring-boot-actuator
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.boot/spring-boot-actuator
org.springframework.boot:spring-boot-actuator
Package
- Name
- org.springframework.boot:spring-boot-actuator
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.boot/spring-boot-actuator