CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-20883 – spring-boot: Spring Boot Welcome Page DoS Vulnerability
https://notcve.org/view.php?id=CVE-2023-20883
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack. • https://security.netapp.com/advisory/ntap-20230703-0008 https://spring.io/security/cve-2023-20883 https://access.redhat.com/security/cve/CVE-2023-20883 https://bugzilla.redhat.com/show_bug.cgi?id=2209342 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-20873 – spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry
https://notcve.org/view.php?id=CVE-2023-20873
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+. A flaw was found in Spring Boot. This targets specifically 'spring-boot-actuator-autoconfigure' package. • https://security.netapp.com/advisory/ntap-20230601-0009 https://spring.io/blog/2023/05/18/spring-boot-2-5-15-and-2-6-15-available-now https://spring.io/security/cve-2023-20873 https://access.redhat.com/security/cve/CVE-2023-20873 https://bugzilla.redhat.com/show_bug.cgi?id=2231491 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22602 – Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request
https://notcve.org/view.php?id=CVE-2023-22602
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` Cuando se utiliza Apache Shiro anterior a 1.11.0 junto con Spring Boot 2.6+, una solicitud HTTP especialmente manipulada puede provocar una omisión de autenticación. La omisión de autenticación se produce cuando Shiro y Spring Boot utilizan diferentes técnicas de coincidencia de patrones. Tanto Shiro como Spring Boot < 2.6 por defecto utiliza la coincidencia de patrones de estilo Ant. Mitigación: actualice a Apache Shiro 1.11.0 o establezca el siguiente valor de configuración de Spring Boot: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` A flaw was found in Apache Shiro. • https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl https://access.redhat.com/security/cve/CVE-2023-22602 https://bugzilla.redhat.com/show_bug.cgi?id=2182198 • CWE-436: Interpretation Conflict •