CVE-2023-20883

Spring Boot Welcome Page Denial of Service in maven/org.springframework.boot/spring-boot-autoconfigure

Identifiers

GHSA-xf96-w227-r7c4, CVE-2023-20883

Package Slug

maven/org.springframework.boot/spring-boot-autoconfigure

Vulnerability

Spring Boot Welcome Page Denial of Service

Description

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Affected Versions

All versions before 2.5.15, all versions starting from 2.6.0 before 2.6.15, all versions starting from 2.7.0 before 2.7.12, all versions starting from 3.0.0 before 3.0.7

Solution

Upgrade to versions 2.7.12, 3.0.7, 2.5.15, 2.6.15 or above.

Last Modified

2023-05-29

source