7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-34053

GHSA ID

GHSA-v94h-hvhg-mf9h

EPSS Score

0.62984%

CWE

Published

11/28/2023

Updated

3/14/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34053

CVE-2023-34053: Spring Framework vulnerable to denial of service

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

the application uses Spring MVC or Spring WebFlux
io.micrometer:micrometer-core is on the classpath
an ObservationRegistry is configured in the application to record observations

Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-34053

CVE-2023-34053:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-34053

GHSA ID

GHSA-v94h-hvhg-mf9h

EPSS Score

0.62984%

CWE

Published

11/28/2023

Updated

3/14/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework:spring-webmvc	maven	>= 6.0.0, < 6.0.14	6.0.14

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unvalidated HTTP method handling in observation conventions. The patch adds validation against known HTTP methods (via HTTP_METHODS sets) and returns METHOD_UNKNOWN for invalid methods. Before this fix, any arbitrary method string would be processed, creating new metric tags each time. Attackers could send numerous unique invalid methods to exhaust memory via Micrometer's KeyValue allocations, which aligns with the described DoS mechanism. The commit diff and added tests for 'unknown HTTP method exchange' confirm these were the vulnerable code paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-34053: Spring Framework vulnerable to denial of service

CVE-2023-34053:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Basic Information

Basic Information

CVE-2023-34053: Spring Framework vulnerable to denial of service

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI