CVE-2024-22233 – CVE-2024-22233: Spring Framework server Web DoS Vulnerability
https://notcve.org/view.php?id=CVE-2024-22233
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions. En las versiones 6.0.15 y 6.1.2 de Spring Framework, es posible que un usuario proporcione solicitudes HTTP especialmente manipuladas que pueden causar una condición de denegación de servicio (DoS). Específicamente, una aplicación es vulnerable cuando se cumple todo lo siguiente: * la aplicación usa Spring MVC * Spring Security 6.1.6+ o 6.2.1+ está en el classpath Normalmente, las aplicaciones Spring Boot necesitan org.springframework.boot:spring-boot-starter-web y org.springframework.boot:spring-boot-starter-security para cumplir con todas las condiciones. • https://security.netapp.com/advisory/ntap-20240614-0005 https://spring.io/security/cve-2024-22233 •
CVE-2023-34053 – Spring Framework server Web Observations DoS Vulnerability
https://notcve.org/view.php?id=CVE-2023-34053
In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions. En las versiones 6.0.0 - 6.0.13 de Spring Framework, es posible que un usuario proporcione solicitudes HTTP especialmente manipuladas que pueden causar una condición de denegación de servicio (DoS). Específicamente, una aplicación es vulnerable cuando se cumple todo lo siguiente: * la aplicación usa Spring MVC o Spring WebFlux * io.micrometer:micrometer-core está en el classpath * un ObservationRegistry está configurado en la aplicación para registrar observaciones Typically, Spring Boot las aplicaciones necesitan la dependencia org.springframework.boot:spring-boot-actuator para cumplir con todas las condiciones. • https://security.netapp.com/advisory/ntap-20231214-0007 https://spring.io/security/cve-2023-34053 •
CVE-2023-44794
https://notcve.org/view.php?id=CVE-2023-44794
An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL. Un problema en Dromara SaToken versión 1.36.0 y anteriores permite a un atacante remoto escalar privilegios a través de un payload manipulado a la URL. • https://github.com/dromara/Sa-Token/issues/515 • CWE-284: Improper Access Control •
CVE-2023-20863 – springframework: Spring Expression DoS Vulnerability
https://notcve.org/view.php?id=CVE-2023-20863
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server. • https://security.netapp.com/advisory/ntap-20240524-0015 https://spring.io/security/cve-2023-20863 https://access.redhat.com/security/cve/CVE-2023-20863 https://bugzilla.redhat.com/show_bug.cgi?id=2187742 • CWE-400: Uncontrolled Resource Consumption CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVE-2023-20860 – springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
https://notcve.org/view.php?id=CVE-2023-20860
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass. A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern. • https://github.com/limo520/CVE-2023-20860 https://security.netapp.com/advisory/ntap-20230505-0006 https://spring.io/security/cve-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20860 https://bugzilla.redhat.com/show_bug.cgi?id=2180528 • CWE-155: Improper Neutralization of Wildcards or Matching Symbols •