CVE-2024-22233

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://security.netapp.com/advisory/ntap-20240614-0005/
https://spring.io/security/cve-2024-22233/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vmware:spring_framework:6.0.15:::::::*
	cpe:2.3:a:vmware:spring_framework:6.1.2:::::::*

History

14 Jun 2024, 13:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20240614-0005/ -

29 Jan 2024, 17:24

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
References	~~() https://spring.io/security/cve-2024-22233/ -~~	() https://spring.io/security/cve-2024-22233/ - Vendor Advisory
CPE		cpe:2.3:a:vmware:spring_framework:6.0.15:::::::* cpe:2.3:a:vmware:spring_framework:6.1.2:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

22 Jan 2024, 14:01

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-22 13:15

Updated : 2024-06-14 13:15

NVD link : CVE-2024-22233

Mitre link : CVE-2024-22233

CVE.ORG link : CVE-2024-22233

JSON object : View

Products Affected

vmware

spring_framework

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-22233", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@vmware.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-01-22T13:15:25.453", "references": [{"url": "https://security.netapp.com/advisory/ntap-20240614-0005/", "source": "security@vmware.com"}, {"url": "https://spring.io/security/cve-2024-22233/", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * the application uses Spring MVC\n * Spring Security 6.1.6+ or 6.2.1+ is on the classpath\n\n\nTypically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web\u00a0and org.springframework.boot:spring-boot-starter-security\u00a0dependencies to meet all conditions.\n\n\n"}, {"lang": "es", "value": "En las versiones 6.0.15 y 6.1.2 de Spring Framework, es posible que un usuario proporcione solicitudes HTTP especialmente manipuladas que pueden causar una condici\u00f3n de denegaci\u00f3n de servicio (DoS). Espec\u00edficamente, una aplicaci\u00f3n es vulnerable cuando se cumple todo lo siguiente: * la aplicaci\u00f3n usa Spring MVC * Spring Security 6.1.6+ o 6.2.1+ est\u00e1 en el classpath Normalmente, las aplicaciones Spring Boot necesitan org.springframework.boot:spring-boot-starter-web y org.springframework.boot:spring-boot-starter-security para cumplir con todas las condiciones."}], "lastModified": "2024-06-14T13:15:50.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:6.0.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A04B2C42-3F98-4CAF-862B-2F81C425446B"}, {"criteria": "cpe:2.3:a:vmware:spring_framework:6.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAE69C54-42A0-4C9D-AE75-305E98C208CB"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}