CVE-2023-20883: 
Java vulnerability analysis and mitigation

A denial-of-service (DoS) vulnerability was identified in Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions. The vulnerability occurs when Spring MVC is used in conjunction with a reverse proxy cache (Spring Advisory, NVD).

The vulnerability is triggered when specific conditions are met: Spring MVC auto-configuration is enabled (default when Spring MVC is on classpath), the application uses Spring Boot's welcome page support (static or templated), and the application is deployed behind a proxy that caches 404 responses. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Spring Advisory, NetApp Advisory).

When successfully exploited, this vulnerability can lead to a denial-of-service (DoS) condition, potentially making the application unavailable to legitimate users (NetApp Advisory).

Users of affected versions should upgrade to the following patched versions: 3.0.x users to 3.0.7+, 2.7.x users to 2.7.12+, 2.6.x users to 2.6.15+, and 2.5.x users to 2.5.15+. Users of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+. Alternative workarounds include configuring the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application (Spring Advisory).