Impact
Affected Spring Cloud Sleuth users can supply specially crafted calls that trigger a denial-of-service condition, exhausting application resources. The flaw is a resource exhaustion weakness, matching CWE-400. The impact is loss of availability for the affected service, as the crafted requests can repeatedly drain memory or processing power, but there is no direct compromise of confidentiality or integrity indicated by the description.
Affected Systems
Spring Cloud Sleuth 3.1.0 through 3.1.13 on Spring frameworks where Spring TX instrumentation is enabled. These are the only combinations listed as vulnerable. No other vendors or products are mentioned.
Risk and Exploitability
The vulnerability is scored 7.5 on CVSS, indicating moderate to high severity. The EPSS score of less than 1% suggests that exploitation attempts are currently rare, and the vulnerability is not listed in CISA KEV. The likely attack path involves an attacker sending crafted requests to the application's exposed endpoints while Spring TX instrumentation is active; from the description it appears to be a remote exploitation scenario, but it requires that the application is reachable and the instrumentation is not disabled.
OpenCVE Enrichment