Spring Boot: attacker on the same network as the remote application may be able to utilize a timing attack to discover informat…
Summary
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
- 4.0.0
- 4.0.5
- 4.0.6
- 3.5.0
- 3.5.13
- 3.5.14
- 3.4.0
- 3.4.15
- 3.4.16
- 3.3.0
- 3.3.18
- 3.3.19
- 2.7.0
- 2.7.32
- 2.7.33
Official advisory · high-confidence parse· fetched 11 hours ago·verify at source
Mitigation
Mitigation steps weren't captured by the parser for this advisory — this is a parsing gap, not a statement that no fix exists. Read the vendor advisory below for the authoritative guidance.
Official advisory · high-confidence parse· fetched 11 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.