CVE-2023-34053: 
Spring Web MVC vulnerability analysis and mitigation

CVE-2023-34053 is a denial-of-service (DoS) vulnerability affecting Spring Framework versions 6.0.0 through 6.0.13. The vulnerability was discovered by James Yuzawa and publicly disclosed on November 27, 2023. The vulnerability specifically affects applications that use Spring MVC or Spring WebFlux, have io.micrometer:micrometer-core on the classpath, and have an ObservationRegistry configured to record observations (Spring Advisory).

The vulnerability allows attackers to provide specially crafted HTTP requests that can cause a denial-of-service condition. The vulnerability requires specific conditions to be exploitable, including the presence of Spring MVC or Spring WebFlux framework components and specific configuration settings. The CVSS v3.1 base score is 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity rating with network accessibility and no required privileges or user interaction (NVD).

When successfully exploited, this vulnerability can lead to a denial-of-service (DoS) condition in affected applications. The impact is particularly significant for Spring Boot applications that have the org.springframework.boot:spring-boot-actuator dependency, as this typically meets all the conditions required for exploitation (Spring Advisory).

Users of affected versions should upgrade to Spring Framework 6.0.14 or later. As a temporary workaround, Spring Boot users can disable web framework observations by setting the property 'management.metrics.enable.http.server.requests=false'. The vulnerability was fixed in the Spring Framework 6.0.14 release which was shipped on November 16th, 2023 (Spring Advisory, Spring Blog).