CVE-2023-20883
denial-of-service vulnerability in spring-boot-autoconfigure (Maven)
What is CVE-2023-20883 About?
This vulnerability is a potential denial-of-service (DoS) attack specific to Spring Boot applications using Spring MVC with welcome page support behind a reverse proxy that caches 404 responses. It allows attackers to trigger a state that exhausts resources or makes the service unavailable. Exploitation requires a specific deployment configuration and attacker interaction.
Affected Software
- org.springframework.boot:spring-boot-autoconfigure
- <2.5.15
- >2.6.0, <2.6.15
- >2.7.0, <2.7.12
- >3.0.0, <3.0.7
Technical Details
This denial-of-service vulnerability affects Spring Boot versions 3.0.0-3.0.6, 2.7.0-2.7.11, 2.6.0-2.6.14, 2.5.0-2.5.14, and older unsupported versions. It specifically occurs when Spring MVC is enabled, the application uses Spring Boot's welcome page support (static or templated), and it is deployed behind a reverse proxy that caches 404 responses. An attacker can repeatedly request a non-existent resource that would normally result in a 404 status. Because the reverse proxy caches these 404 responses, it can continue to serve the cached 'not found' state, potentially in a loop or at a high rate, putting excessive load on the proxy or the backend Spring Boot application, ultimately leading to a denial-of-service condition where legitimate requests are blocked or delayed. The specific mechanism can involve the proxy continuously fetching or verifying the 404, or the application being kept busy generating expensive 404 responses due to the proxy's caching behavior.
What is the Impact of CVE-2023-20883?
Successful exploitation may allow attackers to cause a denial of service, rendering the Spring Boot application or backend services unavailable to legitimate users.
What is the Exploitability of CVE-2023-20883?
Exploitation is of medium complexity, requiring specific environmental prerequisites. These include the target application using a vulnerable Spring Boot version, having Spring MVC auto-configuration enabled, utilizing Spring Boot's welcome page support, and crucially, being deployed behind a reverse proxy that caches 404 responses. No specific authentication is required, as the attacker is typically targeting public-facing resources. Privilege requirements are low from the attacker's perspective. This is a remote vulnerability. The special conditions are the confluence of all stated deployment characteristics, particularly the reverse proxy's caching behavior for 404s. The likelihood of exploitation increases if an organization's standard deployment practices align with these vulnerable configurations and if the application is publicly accessible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-20883?
Available Upgrade Options
- org.springframework.boot:spring-boot-autoconfigure
- <2.5.15 → Upgrade to 2.5.15
- org.springframework.boot:spring-boot-autoconfigure
- >2.6.0, <2.6.15 → Upgrade to 2.6.15
- org.springframework.boot:spring-boot-autoconfigure
- >2.7.0, <2.7.12 → Upgrade to 2.7.12
- org.springframework.boot:spring-boot-autoconfigure
- >3.0.0, <3.0.7 → Upgrade to 3.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/spring-projects/spring-boot/releases/tag/v2.7.12
- https://security.netapp.com/advisory/ntap-20230703-0008/
- https://github.com/spring-projects/spring-boot/commit/418dd1ba5bdad79b55a043000164bfcbda2acd78
- https://github.com/spring-projects/spring-boot/issues/35552
- https://spring.io/security/cve-2023-20883
- https://nvd.nist.gov/vuln/detail/CVE-2023-20883
- https://security.netapp.com/advisory/ntap-20230703-0008
- https://github.com/spring-projects/spring-boot/releases/tag/v2.5.15
- https://github.com/spring-projects/spring-boot
- https://osv.dev/vulnerability/GHSA-xf96-w227-r7c4
What are Similar Vulnerabilities to CVE-2023-20883?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2022-22950 , CVE-2021-22096 , CVE-2020-5407 , CVE-2019-11267
