CVE-2024-22233

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  *  the application uses Spring MVC
  *  Spring Security 6.1.6+ or 6.2.1+ is on the classpath


Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-weband org.springframework.boot:spring-boot-starter-securitydependencies to meet all conditions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vmwareCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
vmwarespring_framework
6.0.15
vmwarespring_framework
6.1.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libspring-java
bullseye
4.3.30-1
fixed
bookworm
4.3.30-2
fixed
sid
4.3.30-3
fixed
trixie
4.3.30-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libspring-java
mantic
not-affected
lunar
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
References
https://security.netapp.com/advisory/ntap-20240614-0005/
https://spring.io/security/cve-2024-22233/
https://security.netapp.com/advisory/ntap-20240614-0005/
https://spring.io/security/cve-2024-22233/