4 results (0.005 seconds)

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath En las versiones 2.7.0 - 2.7.17, 3.0.0-3.0.12 y 3.1.0-3.1.5 de Spring Boot, es posible que un usuario proporcione solicitudes HTTP especialmente manipuladas que pueden provocar una condición de denegación de servicio ( DoS). Específicamente, una aplicación es vulnerable cuando se cumple todo lo siguiente: * la aplicación usa Spring MVC o Spring WebFlux * org.springframework.boot:spring-boot-actuator está en el classpath In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath • https://security.netapp.com/advisory/ntap-20231221-0010 https://spring.io/security/cve-2023-34055 https://access.redhat.com/security/cve/CVE-2023-34055 https://bugzilla.redhat.com/show_bug.cgi?id=2251917 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack. • https://security.netapp.com/advisory/ntap-20230703-0008 https://spring.io/security/cve-2023-20883 https://access.redhat.com/security/cve/CVE-2023-20883 https://bugzilla.redhat.com/show_bug.cgi?id=2209342 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+. A flaw was found in Spring Boot. This targets specifically 'spring-boot-actuator-autoconfigure' package. • https://security.netapp.com/advisory/ntap-20230601-0009 https://spring.io/blog/2023/05/18/spring-boot-2-5-15-and-2-6-15-available-now https://spring.io/security/cve-2023-20873 https://access.redhat.com/security/cve/CVE-2023-20873 https://bugzilla.redhat.com/show_bug.cgi?id=2231491 • CWE-284: Improper Access Control •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` Cuando se utiliza Apache Shiro anterior a 1.11.0 junto con Spring Boot 2.6+, una solicitud HTTP especialmente manipulada puede provocar una omisión de autenticación. La omisión de autenticación se produce cuando Shiro y Spring Boot utilizan diferentes técnicas de coincidencia de patrones. Tanto Shiro como Spring Boot &lt; 2.6 por defecto utiliza la coincidencia de patrones de estilo Ant. Mitigación: actualice a Apache Shiro 1.11.0 o establezca el siguiente valor de configuración de Spring Boot: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` A flaw was found in Apache Shiro. • https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl https://access.redhat.com/security/cve/CVE-2023-22602 https://bugzilla.redhat.com/show_bug.cgi?id=2182198 • CWE-436: Interpretation Conflict •