Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14Zjk2LXcyMjctcjdjNM4AAzfE
Spring Boot Welcome Page Denial of Service
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
Specifically, an application is vulnerable if all of the conditions are true:
- The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
- The application makes use of Spring Boot's welcome page support, either static or templated.
- Your application is deployed behind a proxy which caches 404 responses.
Your application is NOT vulnerable if any of the following are true:
- Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.
- The application does not use Spring Boot's welcome page support.
- You do not have a proxy which caches 404 responses.
Affected Spring Products and Versions
Spring Boot
3.0.0 to 3.0.6 2.7.0 to 2.7.11 2.6.0 to 2.6.14 2.5.0 to 2.5.14
Older, unsupported versions are also affected
Mitigation
Users of affected versions should apply the following mitigations:
- 3.0.x users should upgrade to 3.0.7+
- 2.7.x users should upgrade to 2.7.12+
- 2.6.x users should upgrade to 2.6.15+
- 2.5.x users should upgrade to 2.5.15+
Users of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+.
Workarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.
Permalink: https://github.com/advisories/GHSA-xf96-w227-r7c4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Zjk2LXcyMjctcjdjNM4AAzfE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-xf96-w227-r7c4, CVE-2023-20883
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-20883
- https://spring.io/security/cve-2023-20883
- https://github.com/spring-projects/spring-boot/issues/35552
- https://github.com/spring-projects/spring-boot/commit/418dd1ba5bdad79b55a043000164bfcbda2acd78
- https://github.com/spring-projects/spring-boot/releases/tag/v2.5.15
- https://github.com/spring-projects/spring-boot/releases/tag/v2.6.15
- https://github.com/spring-projects/spring-boot/releases/tag/v2.7.12
- https://security.netapp.com/advisory/ntap-20230703-0008/
- https://github.com/advisories/GHSA-xf96-w227-r7c4
Blast Radius: 33.1
Affected Packages
maven:org.springframework.boot:spring-boot-autoconfigure
Dependent packages: 6,483Dependent repositories: 25,597
Downloads:
Affected Version Ranges: < 2.5.15, >= 2.6.0, < 2.6.15, >= 2.7.0, < 2.7.12, >= 3.0.0, < 3.0.7
Fixed in: 2.5.15, 2.6.15, 2.7.12, 3.0.7
All affected versions: 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.5.13, 2.5.14, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6
All unaffected versions: 2.5.15, 2.6.15, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16, 2.7.17, 2.7.18, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5