What is CVE-2023-34055?

CVE-2023-34055 is a medium-severity vulnerability in certain versions of Spring Boot. It can cause a denial-of-service (DoS) condition when specially crafted HTTP requests are sent to applications using Spring MVC or Spring WebFlux with 'org.springframework.boot ' on the classpath. This issue affects systems running on Windows, MacOS, and Linux.

Who is impacted by this?

CVE-2023-34055 affects users of Spring Boot versions 2.7.0 to 2.7.17, 3.0.0 to 3.0.12, or 3.1.0 to 3.1.5. If your application uses Spring MVC or Spring WebFlux with 'org.springframework.boot ' on the classpath, you may be at risk. This vulnerability can lead to a denial-of-service (DoS) condition when specially crafted HTTP requests are sent to affected applications.

What to do if CVE-2023-34055 affected you

If you're affected by the CVE-2023-34055 vulnerability, it's important to take action to protect your systems. First, update your Spring Boot version to the latest release: 2.7.18 for pre-2.7.x and 2.7.x users, 3.0.13 for 3.0.x users, or 3.1.6 for 3.1.x users. As a temporary workaround, you can also disable web metrics by setting the property management.metrics.enable.http.server.requests=false in your application.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-34055 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This medium-severity issue, named "Spring Boot server Web Observations DoS Vulnerability," was published on November 28, 2023.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-Insufficient Information, indicating a lack of specific details about the vulnerability and its mitigation.

Learn More

For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the sources listed below:

• NetApp Product Security

• Spring Boot server Web Observations DoS Vulnerability

• CVE Record