Denial of Service : VMware Spring Boot < 2.5.15, 2.6.x < 2.6.15, 2.7.x < 2.7.12, 3.0.x

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 146377 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.104758

Kategorie: Denial of Service

Titel: VMware Spring Boot < 2.5.15, 2.6.x < 2.6.15, 2.7.x < 2.7.12, 3.0.x < 3.0.7 DoS Vulnerability

Zusammenfassung: VMware Spring Boot is prone to a denial of service (DoS); vulnerability.

Beschreibung: Summary:
VMware Spring Boot is prone to a denial of service (DoS)
vulnerability.

Vulnerability Insight:
There is potential for a DoS attack if Spring MVC is used
together with a reverse proxy cache.

Affected Software/OS:
VMware Spring Boot versions prior to 2.5.15, 2.6.x prior to
2.6.15, 2.7.x prior to 2.7.12 and 3.0.x prior to 3.0.7.

Specifically, an application is vulnerable if all of the conditions are true:

- The application has Spring MVC auto-configuration enabled. This is the case by default if Spring
MVC is on the classpath.

- The application makes use of Spring Boot's welcome page support, either static or templated.

- Your application is deployed behind a proxy which caches 404 responses.

Your application is NOT vulnerable if any of the following are true:

- Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly
excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to
a value other than SERVLET.

- The application does not use Spring Boot's welcome page support.

- You do not have a proxy which caches 404 responses.

Solution:
Update to version 2.5.15, 2.6.15, 2.7.12, 3.0.7 or later.

Workarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses
to requests to the root (/) of the application.

CVSS Score:
7.8

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2023-20883
https://spring.io/security/cve-2023-20883

Copyright Copyright (C) 2023 Greenbone AG

Dies ist nur einer von 146377 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.104758
Kategorie:	Denial of Service
Titel:	VMware Spring Boot < 2.5.15, 2.6.x < 2.6.15, 2.7.x < 2.7.12, 3.0.x < 3.0.7 DoS Vulnerability
Zusammenfassung:	VMware Spring Boot is prone to a denial of service (DoS); vulnerability.
Beschreibung:	Summary: VMware Spring Boot is prone to a denial of service (DoS) vulnerability. Vulnerability Insight: There is potential for a DoS attack if Spring MVC is used together with a reverse proxy cache. Affected Software/OS: VMware Spring Boot versions prior to 2.5.15, 2.6.x prior to 2.6.15, 2.7.x prior to 2.7.12 and 3.0.x prior to 3.0.7. Specifically, an application is vulnerable if all of the conditions are true: - The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath. - The application makes use of Spring Boot's welcome page support, either static or templated. - Your application is deployed behind a proxy which caches 404 responses. Your application is NOT vulnerable if any of the following are true: - Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET. - The application does not use Spring Boot's welcome page support. - You do not have a proxy which caches 404 responses. Solution: Update to version 2.5.15, 2.6.15, 2.7.12, 3.0.7 or later. Workarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application. CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2023-20883 https://spring.io/security/cve-2023-20883
Copyright	Copyright (C) 2023 Greenbone AG