CVE-2023-34055: 
Spring Boot vulnerability analysis and mitigation

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12, and 3.1.0-3.1.5, a vulnerability was discovered that allows users to cause a denial-of-service (DoS) condition through specially crafted HTTP requests. The vulnerability affects applications that use Spring MVC or Spring WebFlux and have org.springframework.boot:spring-boot-actuator on the classpath. This vulnerability was disclosed on November 27, 2023, and was assigned CVE-2023-34055 (Spring Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability specifically targets the web observations functionality in Spring Boot's actuator component. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N) (NVD).

When successfully exploited, this vulnerability can lead to a denial-of-service (DoS) condition, affecting the availability of the application. The impact is specifically focused on availability (A:H) with no impact on confidentiality (C:N) or integrity (I:N) (NVD).

Users of affected versions should upgrade to the following patched versions: Spring Boot 2.7.x users should upgrade to 2.7.18, Spring Boot 3.0.x users should upgrade to 3.0.13, and Spring Boot 3.1.x users should upgrade to 3.1.6. As a temporary workaround, users can disable web metrics by setting the property 'management.metrics.enable.http.server.requests=false' (Spring Advisory).

The vulnerability was identified and responsibly reported by James Yuzawa. The Spring Framework team responded by releasing fixes in multiple versions, demonstrating their commitment to addressing security issues promptly (Spring Blog).