Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.springframework.boot/spring-boot@3.0.0

Type maven

Namespace org.springframework.boot

Name spring-boot

Version 3.0.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.0.13

Latest_non_vulnerable_version 4.0.6

Affected_by_vulnerabilities

url VCID-g7xv-ej5p-skgv

vulnerability_id VCID-g7xv-ej5p-skgv

summary

Spring Boot Actuator denial of service vulnerability
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

*  the application uses Spring MVC or Spring WebFlux
*  `org.springframework.boot:spring-boot-actuator` is on the classpath

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34055.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34055.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-34055

reference_id

reference_type

scores

value	0.00282
scoring_system	epss
scoring_elements	0.51901
published_at	2026-06-07T12:55:00Z

value	0.00282
scoring_system	epss
scoring_elements	0.51921
published_at	2026-06-06T12:55:00Z

value	0.00282
scoring_system	epss
scoring_elements	0.51912
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-34055

reference_url

https://github.com/spring-projects/spring-boot

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-boot

reference_url

https://github.com/spring-projects/spring-boot/commit/5490e73922b37a7f0bdde43eb318cb1038b45d60

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-boot/commit/5490e73922b37a7f0bdde43eb318cb1038b45d60

reference_url

https://security.netapp.com/advisory/ntap-20231221-0010

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231221-0010

reference_url

https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2251917
reference_id	2251917
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2251917

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-34055

reference_id

CVE-2023-34055

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-34055

reference_url

https://spring.io/security/cve-2023-34055

reference_id

CVE-2023-34055

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://spring.io/security/cve-2023-34055

reference_url

https://github.com/advisories/GHSA-jjfh-589g-3hjx

reference_id

GHSA-jjfh-589g-3hjx

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jjfh-589g-3hjx

fixed_packages

url	pkg:maven/org.springframework.boot/spring-boot@3.0.13
purl	pkg:maven/org.springframework.boot/spring-boot@3.0.13
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@3.0.13

url pkg:maven/org.springframework.boot/spring-boot@3.1.6

purl pkg:maven/org.springframework.boot/spring-boot@3.1.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dsz6-w5ak-xqee

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@3.1.6

aliases CVE-2023-34055, GHSA-jjfh-589g-3hjx

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g7xv-ej5p-skgv

Fixing_vulnerabilities

url VCID-dsz6-w5ak-xqee

vulnerability_id VCID-dsz6-w5ak-xqee

summary

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

*  You use Spring Security
*  EndpointRequest.to() has been used in a Spring Security chain configuration
*  The endpoint which EndpointRequest references is disabled or not exposed via web
*  Your application handles requests to /null and this path needs protection


You are not affected if any of the following is true:

*  You don't use Spring Security
*  You don't use EndpointRequest.to()
*  The endpoint which EndpointRequest.to() refers to is enabled and is exposed
*  Your application does not handle requests to /null or this path does not need protection

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22235.json

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22235.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-22235

reference_id

reference_type

scores

value	0.00179
scoring_system	epss
scoring_elements	0.39275
published_at	2026-06-05T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39658
published_at	2026-06-07T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39685
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-22235

reference_url

https://github.com/spring-projects/spring-boot

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-boot

reference_url

https://security.netapp.com/advisory/ntap-20250516-0010

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250516-0010

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2362668
reference_id	2362668
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2362668

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-22235

reference_id

CVE-2025-22235

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-22235

reference_url

https://spring.io/security/cve-2025-22235

reference_id

CVE-2025-22235

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-28T16:16:38Z/

url

https://spring.io/security/cve-2025-22235

reference_url	https://github.com/advisories/GHSA-rc42-6c7j-7h5r
reference_id	GHSA-rc42-6c7j-7h5r
reference_type
scores
url	https://github.com/advisories/GHSA-rc42-6c7j-7h5r

fixed_packages

url pkg:maven/org.springframework.boot/spring-boot@3.0.0

purl pkg:maven/org.springframework.boot/spring-boot@3.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g7xv-ej5p-skgv

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@3.0.0

url pkg:maven/org.springframework.boot/spring-boot@3.3.11

purl pkg:maven/org.springframework.boot/spring-boot@3.3.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nt71-r2ww-7yen

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@3.3.11

url pkg:maven/org.springframework.boot/spring-boot@3.4.5

purl pkg:maven/org.springframework.boot/spring-boot@3.4.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nt71-r2ww-7yen

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@3.4.5

aliases CVE-2025-22235, GHSA-rc42-6c7j-7h5r

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dsz6-w5ak-xqee

url VCID-nt71-r2ww-7yen

vulnerability_id VCID-nt71-r2ww-7yen

summary Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40973.json

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40973.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-40973

reference_id

reference_type

scores

value	9e-05
scoring_system	epss
scoring_elements	0.00896
published_at	2026-06-07T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00897
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-40973

reference_url

https://github.com/spring-projects/spring-boot

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-boot

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-40973

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-40973

reference_url

https://spring.io/security/cve-2026-40973

reference_id

reference_type

scores

value	7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-28T12:42:23Z/

url

https://spring.io/security/cve-2026-40973

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2463330
reference_id	2463330
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2463330

reference_url

https://github.com/advisories/GHSA-wwpq-f5c3-7hvx

reference_id

GHSA-wwpq-f5c3-7hvx

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wwpq-f5c3-7hvx

reference_url	https://access.redhat.com/errata/RHSA-2026:17668
reference_id	RHSA-2026:17668
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17668

reference_url	https://access.redhat.com/errata/RHSA-2026:21772
reference_id	RHSA-2026:21772
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21772

fixed_packages

url pkg:maven/org.springframework.boot/spring-boot@3.0.0

purl pkg:maven/org.springframework.boot/spring-boot@3.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g7xv-ej5p-skgv

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@3.0.0

url	pkg:maven/org.springframework.boot/spring-boot@3.5.14
purl	pkg:maven/org.springframework.boot/spring-boot@3.5.14
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@3.5.14

url	pkg:maven/org.springframework.boot/spring-boot@4.0.6
purl	pkg:maven/org.springframework.boot/spring-boot@4.0.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@4.0.6

aliases CVE-2026-40973, GHSA-wwpq-f5c3-7hvx

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nt71-r2ww-7yen

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@3.0.0

Package Instance