Login Sign Up

CVE-2023-20883

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Spring Boot allows denial-of-service attacks when Spring MVC applications are deployed behind reverse proxy caches. Attackers can send specially crafted requests that cause the application to consume excessive resources, potentially making it unavailable. Affected systems include Spring Boot applications using Spring MVC with reverse proxy caching in vulnerable versions.

💻 Affected Systems

Products:
  • Spring Boot
Versions: 3.0.0-3.0.6, 2.7.0-2.7.11, 2.6.0-2.6.14, 2.5.0-2.5.14, and older unsupported versions
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Spring MVC usage with reverse proxy caching configuration.

📦 What is this software?

Spring Boot by Vmware

View all CVEs affecting Spring Boot →

Spring Boot by Vmware

View all CVEs affecting Spring Boot →

Spring Boot by Vmware

View all CVEs affecting Spring Boot →

Spring Boot by Vmware

View all CVEs affecting Spring Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to resource exhaustion, affecting all users and potentially causing business disruption.

🟠

Likely Case

Degraded application performance or intermittent outages affecting user experience.

🟢

If Mitigated

Minimal impact with proper rate limiting, monitoring, and updated versions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires knowledge of application endpoints and reverse proxy configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Spring Boot 3.0.7+, 2.7.12+, 2.6.15+, 2.5.15+

Vendor Advisory: https://spring.io/security/cve-2023-20883

Restart Required: Yes

Instructions:

1. Update Spring Boot dependencies to patched versions. 2. Rebuild and redeploy application. 3. Verify version update.

🔧 Temporary Workarounds

Disable reverse proxy caching

all

Configure reverse proxy to not cache responses from Spring MVC endpoints

# Configure nginx: proxy_cache off;
# Configure Apache: CacheDisable /

Implement rate limiting

all

Add rate limiting at reverse proxy or application level to prevent DoS

# nginx: limit_req_zone, limit_req
# Spring Security: configure rate limiting

🧯 If You Can't Patch

  • Implement strict rate limiting and request validation
  • Monitor application resource usage and set up alerts for abnormal patterns

🔍 How to Verify

Check if Vulnerable:

Check Spring Boot version in pom.xml or build.gradle and verify if using Spring MVC with reverse proxy cache

Check Version:

java -jar your-app.jar --version or check build configuration files

Verify Fix Applied:

Verify Spring Boot version is updated to patched version and test application functionality

📡 Detection & Monitoring

Log Indicators:

  • High frequency of similar requests
  • Increased error rates
  • Resource exhaustion warnings

Network Indicators:

  • Unusual request patterns to MVC endpoints
  • High traffic volume from single sources

SIEM Query:

source="application.logs" AND ("resource exhaustion" OR "high request rate")

📊 Metadata

CVE ID: CVE-2023-20883
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: May 26, 2023
Last Updated: January 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20883, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)