{ "threat_severity" : "Moderate", "public_date" : "2024-01-22T00:00:00Z", "bugzilla" : { "description" : "spring-boot: Crafted HTTP requests may lead to debial-of-service (DOS)", "id" : "2259703", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2259703" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-400", "details" : [ "In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\nSpecifically, an application is vulnerable when all of the following are true:\n* the application uses Spring MVC\n* Spring Security 6.1.6+ or 6.2.1+ is on the classpath\nTypically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.", "A flaw was found in the Spring Framework. This issue may allow a remote user to provide specially crafted HTTP requests, leading the application to a Denial of Service (DoS). An application may be considered vulnerable if it meets the both conditions: The application uses Spring MVC and Spring Security versions 6.1.6, 6.2.1, or above are set on the classpath." ], "statement" : "After careful consideration, Redhat has rated this vulnerability as moderate severity as successful exploitation of this flaw depends on various factors such as org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies, the application uses Spring MVC,Spring Security 6.1.6+ or 6.2.1+ is on the classpath.", "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Out of support scope", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "log4j:2/log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Will not fix", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-22233\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22233\nhttps://spring.io/security/cve-2024-22233/" ], "name" : "CVE-2024-22233", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }