From ef908457cfada1d4850c3c98a32f1795c5988795 Mon Sep 17 00:00:00 2001 From: julianladisch <533612+julianladisch@users.noreply.github.com> Date: Tue, 23 Jun 2026 11:37:24 +0200 Subject: [PATCH] Improve GHSA-g3pr-3p32-fp23 --- .../GHSA-g3pr-3p32-fp23.json | 259 +++++++++++++++++- 1 file changed, 256 insertions(+), 3 deletions(-) diff --git a/advisories/unreviewed/2026/06/GHSA-g3pr-3p32-fp23/GHSA-g3pr-3p32-fp23.json b/advisories/unreviewed/2026/06/GHSA-g3pr-3p32-fp23/GHSA-g3pr-3p32-fp23.json index 702d7f1ef3228..c76a1e13b62c6 100644 --- a/advisories/unreviewed/2026/06/GHSA-g3pr-3p32-fp23/GHSA-g3pr-3p32-fp23.json +++ b/advisories/unreviewed/2026/06/GHSA-g3pr-3p32-fp23/GHSA-g3pr-3p32-fp23.json @@ -1,24 +1,277 @@ { "schema_version": "1.4.0", "id": "GHSA-g3pr-3p32-fp23", - "modified": "2026-06-09T06:31:56Z", + "modified": "2026-06-09T06:31:57Z", "published": "2026-06-09T06:31:56Z", "aliases": [ "CVE-2026-40984" ], - "details": "In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nAffected versions:\nmicrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17.\nmicrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.\nmicrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.", + "summary": "Micrometer HTTP server instrumentations DoS", + "details": "In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.5.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.11.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.14.0" + }, + { + "fixed": "1.14.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.10.0" + }, + { + "fixed": "1.13.19" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-jetty12" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.5.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-jetty12" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.11.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-jetty12" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.14.0" + }, + { + "fixed": "1.14.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-jetty12" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.19" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-jetty11" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.16.0" + }, + { + "fixed": "1.16.5.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-jetty11" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.11.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-jetty11" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.14.0" + }, + { + "fixed": "1.14.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.micrometer:micrometer-jetty11" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.19" + } + ] + } + ] + } + ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40984" }, + { + "type": "WEB", + "url": "https://github.com/micrometer-metrics/micrometer/commit/36da131525228188a36779a28471a76c79213dd4" + }, { "type": "WEB", "url": "https://spring.io/security/cve-2026-40984"