CVE-2015-5262
Denial of Service vulnerability in httpclient (Maven)
What is CVE-2015-5262 About?
Spring Boot versions 2.7.0-2.7.17, 3.0.0-3.0.12, and 3.1.0-3.1.5 are vulnerable to a Denial of Service condition. Specially crafted HTTP requests can cause this DoS when Spring MVC/WebFlux is used and 'spring-boot-actuator' is on the classpath. Exploitation is possible by sending specific HTTP requests that trigger the vulnerability.
Affected Software
Technical Details
This Denial of Service vulnerability in Spring Boot affects applications using Spring MVC or Spring WebFlux when the org.springframework.boot:spring-boot-actuator dependency is present on the classpath. The core of the issue lies in how these configurations handle specially crafted HTTP requests. An attacker can send particular requests that, when processed by the vulnerable Spring Boot application, lead to excessive resource consumption, infinite loops, or other instability. This consumption then brings down the application, leading to a Denial of Service.
What is the Impact of CVE-2015-5262?
Successful exploitation may allow attackers to cause the Spring Boot application to become unresponsive or crash, leading to service disruption and unavailability for legitimate users.
What is the Exploitability of CVE-2015-5262?
Exploitation involves sending finely tuned HTTP requests designed to trigger the Denial of Service condition. The complexity level is moderate, potentially requiring some understanding of Spring Boot's internal request processing. Authentication is typically not required, as the vulnerability affects how requests are initially handled. Privilege requirements are low. This is primarily a remote vulnerability, allowing an attacker to send malicious requests over a network. The likelihood of exploitation increases for publicly accessible Spring Boot applications that expose actuator endpoints or process untrusted HTTP input without sufficient throttling or request validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-5262?
Available Upgrade Options
- org.apache.httpcomponents:httpclient
- <4.3.6 → Upgrade to 4.3.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html
- https://jenkins.io/security/advisory/2018-02-26/
- http://www.securitytracker.com/id/1033743
- https://bugzilla.redhat.com/show_bug.cgi?id=1261538
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html
What are Similar Vulnerabilities to CVE-2015-5262?
Similar Vulnerabilities: CVE-2023-20860 , CVE-2023-20861 , CVE-2023-20883 , CVE-2023-20862 , CVE-2022-22971
