CVE-2023-34053 (High) detected in spring-web-6.0.13.jar - autoclosed

[mend-bolt-for-github[bot]]

CVE-2023-34053 - High Severity Vulnerability

Vulnerable Library - spring-web-6.0.13.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

Found in HEAD commit: 335a4047c89f52dfe860e93daefb32dc86a521a2

Found in base branch: develop

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

Publish Date: 2023-11-28

URL: CVE-2023-34053

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-34053

Release Date: 2023-11-28

Fix Resolution: 6.0.14

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.