CVE-2024-22233

{"id": "CVE-2024-22233", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@vmware.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-01-22T13:15:25.453", "references": [{"url": "https://security.netapp.com/advisory/ntap-20240614-0005/", "source": "security@vmware.com"}, {"url": "https://spring.io/security/cve-2024-22233/", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}, {"url": "https://security.netapp.com/advisory/ntap-20240614-0005/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://spring.io/security/cve-2024-22233/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * the application uses Spring MVC\n * Spring Security 6.1.6+ or 6.2.1+ is on the classpath\n\n\nTypically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web\u00a0and org.springframework.boot:spring-boot-starter-security\u00a0dependencies to meet all conditions."}, {"lang": "es", "value": "En las versiones 6.0.15 y 6.1.2 de Spring Framework, es posible que un usuario proporcione solicitudes HTTP especialmente manipuladas que pueden causar una condici\u00f3n de denegaci\u00f3n de servicio (DoS). Espec\u00edficamente, una aplicaci\u00f3n es vulnerable cuando se cumple todo lo siguiente: * la aplicaci\u00f3n usa Spring MVC * Spring Security 6.1.6+ o 6.2.1+ est\u00e1 en el classpath Normalmente, las aplicaciones Spring Boot necesitan org.springframework.boot:spring-boot-starter-web y org.springframework.boot:spring-boot-starter-security para cumplir con todas las condiciones."}], "lastModified": "2025-02-13T18:16:47.227", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:6.0.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A04B2C42-3F98-4CAF-862B-2F81C425446B"}, {"criteria": "cpe:2.3:a:vmware:spring_framework:6.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAE69C54-42A0-4C9D-AE75-305E98C208CB"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}