Potential Open Redirect Vulnerability in UriComponentsBuilder
CVE-2024-22243

8.1HIGH

Key Information:

Vendor: Spring
Status: Spring Framework
Vendor: CVE Published:; 23 February 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 41%

What is CVE-2024-22243?

Applications utilizing the UriComponentsBuilder to process externally provided URLs are exposed to potential security threats. If these applications perform validation on the host after parsing a URL from user input, they may fall victim to open redirect attacks. This vulnerability may lead attackers to exploit the application by redirecting users to unintended locations. Furthermore, if the validated URL is implemented in a server-side request forgery (SSRF) context, it can allow unauthorized access to internal resources. Developers using the affected versions of Spring Framework must review their URL handling workflows to ensure that proper security measures are in place.

Affected Version(s)

Spring Framework 6.0.x

Spring Framework 6.0.x < 6.0.17

Spring Framework 6.1.x < 6.1.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-22243-CVE-2024-22234
Created by shellfeel

References

https://spring.io/security/cve-2024-22243

https://security.netapp.com/advisory/ntap-20240524-0001/

EPSS Score

41% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Feb 23, 2024
👾
Exploit known to exist
Feb 23, 2024
Vulnerability published
Feb 23, 2024
Vulnerability Reserved
Jan 8, 2024