High severityNVD Advisory· Published Nov 28, 2023· Updated Feb 13, 2025
Spring Framework server Web Observations DoS Vulnerability
CVE-2023-34053
Description
In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
- the application uses Spring MVC or Spring WebFlux
- io.micrometer:micrometer-core is on the classpath
- an ObservationRegistry is configured in the application to record observations
Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-webmvcMaven | >= 6.0.0, < 6.0.14 | 6.0.14 |
Affected products
2- Range: 6.0.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-v94h-hvhg-mf9hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-34053ghsaADVISORY
- github.com/spring-projects/spring-framework/commit/c18784678df489d06a70e54fcddb5e3821d4b00cghsaWEB
- github.com/spring-projects/spring-framework/compare/v6.0.13...v6.0.14ghsaWEB
- security.netapp.com/advisory/ntap-20231214-0007ghsaWEB
- spring.io/security/cve-2023-34053ghsaWEB
- security.netapp.com/advisory/ntap-20231214-0007/mitre
News mentions
0No linked articles in our index yet.