CVE-2024-22233: A high-severity Spring Framework Vulnerability

The Spring Framework is an open-source Java platform that provides comprehensive infrastructure support for developing enterprise applications. It’s essentially a toolkit that simplifies the development process by taking care of the boilerplate code and common tasks, allowing developers to focus on writing the core business logic of their applications.

Recently, a new high severity was found in this framework. Dubbed CVE-2024-22233, with a CVSS rating of 7.5, this vulnerability allows an attacker to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

The vulnerability takes root in specific versions of the framework—6.0.15 and 6.1.2—where a seemingly benign HTTP request transforms into a harbinger of disruption. Under certain conditions, this request can induce a denial-of-service (DoS) state, effectively crippling the application’s ability to serve legitimate users.

An application falls prey to this vulnerability under a confluence of conditions:

• Utilization of Spring MVC, a model-view-controller architecture that facilitates the creation of dynamic web applications.
• Presence of Spring Security versions 6.1.6+ or 6.2.1+ in the classpath, adding a layer of authentication and protection.
• Typically, Spring Boot applications that incorporate `org.springframework.boot:spring-boot-starter-web` and `org.springframework.boot:spring-boot-starter-security` dependencies find themselves at the crossroads of vulnerability.

This vulnerability affects the following Spring Framework versions:

• 6.0.15
• 6.1.2

The older versions of the framework remain untouched by CVE-2024-22233.

Users affected by the vulnerability’s grasp are urged to take immediate action:

• Spring Framework 6.0.15 users: Upgrade to version 6.0.16.
• Spring Framework 6.1.2 users: Upgrade to version 6.1.3.