Описание
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | spring-boot | Not affected | ||
| Migration Toolkit for Runtimes | spring-boot | Affected | ||
| Red Hat AMQ Broker 7 | spring-boot | Not affected | ||
| Red Hat Data Grid 8 | spring-boot | Not affected | ||
| Red Hat Enterprise Linux 8 | log4j:2/log4j | Affected | ||
| Red Hat Enterprise Linux 9 | log4j | Affected | ||
| Red Hat Integration Camel K 1 | spring-boot | Not affected | ||
| Red Hat JBoss Data Grid 7 | spring-boot | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | spring-boot | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | spring-boot | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
EPSS
7.5 High
CVSS3