org.springframework.boot:spring-boot-autoconfigure 2.5.9 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.boot:spring-boot-autoconfigure package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Denial of Service (DoS) Affected versions of this package are vulnerable to Denial of Service (DoS) if Spring MVC is used together with a reverse proxy cache. Specifically, an application is vulnerable if all of the conditions are true: The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath. The application uses Spring Boot's welcome page support, either static or templated. The application is deployed behind a proxy which caches 404 responses. The application is NOT vulnerable if any of the following are true: Spring MVC auto-configuration is disabled. This is true if `WebMvcAutoConfiguration` is explicitly excluded, if Spring MVC is not on the classpath, or if `spring.main.web-application-type` is set to a value other than `SERVLET`. The application does not use Spring Boot's welcome page support. There is no proxy which caches 404 responses. How to fix Denial of Service (DoS)? Upgrade `org.springframework.boot:spring-boot-autoconfigure` to version 2.5.15, 2.6.15, 2.7.12, 3.0.7 or higher.	[,2.5.15)[2.6.0,2.6.15)[2.7.0,2.7.12)[3.0.0,3.0.7)

Vulnerability

Vulnerable Version

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) if Spring MVC is used together with a reverse proxy cache.

Specifically, an application is vulnerable if all of the conditions are true:

The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
The application uses Spring Boot's welcome page support, either static or templated.
The application is deployed behind a proxy which caches 404 responses.

The application is NOT vulnerable if any of the following are true:

Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.
The application does not use Spring Boot's welcome page support.
There is no proxy which caches 404 responses.

How to fix Denial of Service (DoS)?

Upgrade org.springframework.boot:spring-boot-autoconfigure to version 2.5.15, 2.6.15, 2.7.12, 3.0.7 or higher.

[,2.5.15)[2.6.0,2.6.15)[2.7.0,2.7.12)[3.0.0,3.0.7)

org.springframework.boot:spring-boot-autoconfigure@2.5.9 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?