The vulnerability (CVE-2023-34055) describes a Denial of Service in Spring Boot Actuator due to specially crafted HTTP requests. The provided commit (5490e73922b37a7f0bdde43eb318cb1038b45d60) modifies how HTTP method tags are generated in WebFluxTags.java and WebMvcTags.java.

Before the patch, both WebFluxTags.method and WebMvcTags.method would create a Tag object using the literal string of the HTTP method from the incoming request. If an attacker sent numerous requests with unique (and potentially long or malformed) HTTP method strings, this would lead to the creation of a large number of unique Tag objects. These tags are typically used for metrics and can be stored in memory, leading to memory exhaustion and a DoS condition.

The patch changes this behavior by first attempting to resolve the HTTP method to a known/standard HttpMethod. If the method is not standard (e.g., HttpMethod.resolve() returns null or exchange.getRequest().getMethod() returns null for WebFlux), a generic METHOD_UNKNOWN tag is used. This prevents the unbounded creation of new Tag objects from arbitrary input in the HTTP method, thus mitigating the DoS vulnerability.

The vulnerable functions are therefore the method functions in these two classes as they existed before this patch, because they directly processed potentially malicious input (the HTTP method string) in a way that could lead to resource exhaustion.