Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-34055

Опубликовано: 27 нояб. 2023
Источник: redhat
CVSS3: 6.5

Описание

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC or Spring WebFlux
  • org.springframework.boot:spring-boot-actuator is on the classpath

Отчет

Red Hat does not ship any spring integration in the RHEL log4j package, therefore the log4j package is not affected by this issue in Red Hat Enterprise Linux 8 & 9. Red Hat Single Sign-On provides Spring Boot adapters, but does not provide the affected code and is not affected by this flaw.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2spring-bootNot affected
Migration Toolkit for Runtimesspring-bootNot affected
Red Hat AMQ Broker 7spring-bootAffected
Red Hat build of Apache Camel for Spring Boot 3spring-bootNot affected
Red Hat build of OptaPlanner 8spring-bootNot affected
Red Hat Data Grid 8spring-bootNot affected
Red Hat Decision Manager 7spring-bootOut of support scope
Red Hat Enterprise Linux 8log4j:2/log4jNot affected
Red Hat Enterprise Linux 9log4jNot affected
Red Hat Integration Camel K 1spring-bootWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=2251917spring-boot: org.springframework.boot: spring-boot-actuator class vulnerable to denial of service

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-34055

CVSS3: 5.3
nvd
около 2 лет назад

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath

github логотип

GHSA-jjfh-589g-3hjx

CVSS3: 5.3
github
около 2 лет назад

Spring Boot Actuator denial of service vulnerability

fstec логотип

BDU:2023-09011

CVSS3: 6.5
fstec
около 2 лет назад

Уязвимость фреймворка создания веб-приложений Spring Boot, связанная с некорректной зачисткой или освобождением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

6.5 Medium

CVSS3