CVE-2023-34053
Denial-of-service (DoS) vulnerability in spring-webmvc (Maven)
What is CVE-2023-34053 About?
This vulnerability in Spring Framework allows specially crafted HTTP requests to cause a denial-of-service condition. Its impact is a temporary disruption of service, making the application unavailable to legitimate users. Exploitation is moderately easy, requiring specific application configurations to be present.
Affected Software
Technical Details
The vulnerability exists in Spring Framework versions 6.0.0 through 6.0.13. An application becomes vulnerable when it utilizes Spring MVC or Spring WebFlux, has 'io.micrometer:micrometer-core' on its classpath, and an 'ObservationRegistry' is configured to record observations. Typically, Spring Boot applications including the 'org.springframework.boot:spring-boot-actuator' dependency will meet these conditions. Attackers can send specially crafted HTTP requests which, when processed under these specific configurations, can lead to excessive resource consumption or an error state, ultimately causing a denial-of-service condition.
What is the Impact of CVE-2023-34053?
Successful exploitation may allow attackers to disrupt service availability, leading to temporary unavailability of the application or system resources.
What is the Exploitability of CVE-2023-34053?
Exploitation of this vulnerability is of moderate complexity, requiring the attacker to send specially crafted HTTP requests. There are no explicit authentication or privilege requirements to trigger the vulnerability, as it targets how the server processes requests. Access can be remote. The likelihood of exploitation is increased if the target application uses Spring MVC/WebFlux, includes micrometer-core, and has an ObservationRegistry configured, with Spring Boot Actuator often implying these conditions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34053?
About the Fix from Resolved Security
This patch changes how HTTP methods are recorded for observability by only accepting well-known/standard HTTP methods; if a non-standard or unknown method is encountered, the method is now returned as "UNKNOWN" instead of whatever was provided. This prevents unrecognized or attacker-supplied method names from being stored as metric labels, mitigating the risk of unbounded cardinality and potential resource exhaustion, which is the core issue in CVE-2023-34053.
Available Upgrade Options
- org.springframework:spring-webmvc
- >6.0.0, <6.0.14 → Upgrade to 6.0.14
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/spring-projects/spring-framework
- https://spring.io/security/cve-2023-34053
- https://osv.dev/vulnerability/GHSA-v94h-hvhg-mf9h
- https://nvd.nist.gov/vuln/detail/CVE-2023-34053
- https://security.netapp.com/advisory/ntap-20231214-0007
- https://github.com/spring-projects/spring-framework/commit/c18784678df489d06a70e54fcddb5e3821d4b00c
- https://github.com/spring-projects/spring-framework/compare/v6.0.13...v6.0.14
- https://spring.io/security/cve-2023-34053
- https://security.netapp.com/advisory/ntap-20231214-0007/
What are Similar Vulnerabilities to CVE-2023-34053?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-22096 , CVE-2020-5421 , CVE-2018-1270 , CVE-2016-5007
