CVE-2024-22233: 
Jenkins vulnerability analysis and mitigation

CVE-2024-22233 is a high-severity vulnerability (CVSS 7.5) discovered in Spring Framework versions 6.0.15 and 6.1.2. The vulnerability was disclosed on January 22, 2024, affecting applications that use Spring MVC with Spring Security 6.1.6+ or 6.2.1+ on the classpath. These versions are respectively being used by Spring Boot 3.1.7 and 3.2.1 (Spring Advisory).

The vulnerability allows attackers to provide specially crafted HTTP requests that can trigger a denial-of-service (DoS) condition. The vulnerability specifically affects applications that meet two conditions: using Spring MVC and having Spring Security 6.1.6+ or 6.2.1+ in the classpath. Typically, Spring Boot applications are vulnerable when they include both org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies (Spring Advisory, Security Online).

When successfully exploited, this vulnerability can lead to a denial-of-service (DoS) condition, potentially making the affected application unavailable to legitimate users (Spring Advisory).

Users of affected versions should upgrade their Spring Framework installations: Spring Framework 6.0.15 users should upgrade to 6.0.16, and Spring Framework 6.1.2 users should upgrade to 6.1.3. The Spring Boot 3.1.8 and 3.2.2 releases shipped with the relevant fixed Spring Framework versions (Spring Advisory, Spring Blog).

The vulnerability was identified and responsibly reported by multiple security researchers including Aleksander Blomskøld, LiveOverflow (hextree.io), ZetaTwo, anasbekar, zzgoon, 0xLegacyy, xyzeva, and AcroTiger (Spring Advisory).