CVE-2023-34055: Spring Boot server Web Observations DoS Vulnerability
First published: Tue Nov 28 2023(Updated: )
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath
Credit: security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.springframework.boot:spring-boot | >=3.1.0<3.1.6 | 3.1.6 |
| maven/org.springframework.boot:spring-boot | >=3.0.0<3.0.13 | 3.0.13 |
| maven/org.springframework.boot:spring-boot | <2.7.18 | 2.7.18 |
| Vmware Spring Boot | >=2.7.0<=2.7.17 | |
| Vmware Spring Boot | >=3.0.0<=3.0.12 | |
| Vmware Spring Boot | >=3.1.0<=3.1.5 | |
| IBM Operational Decision Manager | <=8.10.3 | |
| IBM Operational Decision Manager | <=8.10.4 | |
| IBM Operational Decision Manager | <=8.10.5.1 | |
| IBM Operational Decision Manager | <=8.11.0.1 | |
| IBM Operational Decision Manager | <=8.11.1 | |
| IBM Operational Decision Manager | <=8.12.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-34055
- https://spring.io/security/cve-2023-34055
- https://github.com/advisories/GHSA-jjfh-589g-3hjx (Advisory)
- https://security.netapp.com/advisory/ntap-20231221-0010/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/272537
- https://www.ibm.com/support/pages/node/7112382 (Advisory)
Frequently Asked Questions
What is CVE-2023-34055?
CVE-2023-34055 is a vulnerability in Spring Boot server Web Observations that allows a user to cause a denial-of-service (DoS) condition.
How does CVE-2023-34055 affect Spring Boot versions?
CVE-2023-34055 affects Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12, and 3.1.0-3.1.5.
What is the severity of CVE-2023-34055?
CVE-2023-34055 has a severity rating of 5.3, which is medium.
How can I fix CVE-2023-34055?
To fix CVE-2023-34055, update Spring Boot to version 3.1.6, 3.0.13, or 2.7.18.
Where can I find more information about CVE-2023-34055?
You can find more information about CVE-2023-34055 at the following references: - [Spring Advisory](https://spring.io/security/cve-2023-34055) - [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-34055) - [GitHub Advisory](https://github.com/advisories/GHSA-jjfh-589g-3hjx)
- collector/github-advisory
- alias/GHSA-jjfh-589g-3hjx
- alias/CVE-2023-34055
- collector/mitre-cve
- collector/nvd-api
- collector/github-advisory-latest
- collector/nvd-cve
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/event
- agent/description
- agent/title
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- package-manager/maven
- vendor/vmware
- canonical/vmware spring boot
- version/vmware spring boot/2.7.0
- version/vmware spring boot/2.7.17
- version/vmware spring boot/3.0.0
- version/vmware spring boot/3.0.12
- version/vmware spring boot/3.1.0
- version/vmware spring boot/3.1.5
- vendor/ibm
- canonical/ibm operational decision manager
- version/ibm operational decision manager/8.10.3
- version/ibm operational decision manager/8.10.4
- version/ibm operational decision manager/8.10.5.1
- version/ibm operational decision manager/8.11.0.1
- version/ibm operational decision manager/8.11.1
- version/ibm operational decision manager/8.12.0.1