Описание
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true:
- the application uses Spring MVC
- Spring Security 6.1.6+ or 6.2.1+ is on the classpath
Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.
A flaw was found in the Spring Framework. This issue may allow a remote user to provide specially crafted HTTP requests, leading the application to a Denial of Service (DoS). An application may be considered vulnerable if it meets the both conditions: The application uses Spring MVC and Spring Security versions 6.1.6, 6.2.1, or above are set on the classpath.
Отчет
After careful consideration, Redhat has rated this vulnerability as moderate severity as successful exploitation of this flaw depends on various factors such as org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies, the application uses Spring MVC,Spring Security 6.1.6+ or 6.2.1+ is on the classpath.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | spring-boot | Not affected | ||
| Migration Toolkit for Runtimes | spring-boot | Not affected | ||
| Red Hat AMQ Broker 7 | spring-boot | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | spring-boot | Not affected | ||
| Red Hat build of OptaPlanner 8 | spring-boot | Not affected | ||
| Red Hat Data Grid 8 | spring-boot | Not affected | ||
| Red Hat Decision Manager 7 | spring-boot | Out of support scope | ||
| Red Hat Enterprise Linux 8 | log4j:2/log4j | Not affected | ||
| Red Hat Enterprise Linux 9 | log4j | Not affected | ||
| Red Hat Fuse 7 | spring-boot | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a us ...
Уязвимость шаблона проектирования Spring MVC программной платформы Spring Framework, Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security и фреймворка для создания веб-приложений Spring Boot, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3