5.3
CVSS V3
Spring Framework DoS via conditional HTTP request
Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack.
org.springframework:spring-web in versions
6.1.0 through 6.1.11 6.0.0 through 6.0.22 5.3.0 through 5.3.37
Older, unsupported versions are also affected
Users of affected versions should upgrade to the corresponding fixed version. 6.1.x -> 6.1.12 6.0.x -> 6.0.23 5.3.x -> 5.3.38 No other mitigation steps are necessary.
Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.
